From 10f6ab5aea81a94af751bbdbebbf49303d83879f Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Wed, 17 Oct 2018 15:33:02 +0200 Subject: net: CVE-2017-17712 net: ipv4: fix for a race condition in raw_sendmsg References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=d61b40939ebdc84dad77dbc78c3e26ad9d2da68b Change-Id: I19651e5496e4eca18e96b6bd7a9d2b542e30ac91 Signed-off-by: Andreas Wellving --- patches/cve/4.1.x.scc | 2 + ...4-fix-for-a-race-condition-in-raw_sendmsg.patch | 80 ++++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index f0ed6a8..097fea5 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc @@ -38,3 +38,5 @@ patch CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch #fixed in 4.1.51 patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch +#fixed in 4.1.52 +patch CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch diff --git a/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch new file mode 100644 index 0000000..fa13430 --- /dev/null +++ b/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch @@ -0,0 +1,80 @@ +From d61b40939ebdc84dad77dbc78c3e26ad9d2da68b Mon Sep 17 00:00:00 2001 +From: Mohamed Ghannam +Date: Sun, 10 Dec 2017 03:50:58 +0000 +Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg + +[ Upstream commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 ] + +inet->hdrincl is racy, and could lead to uninitialized stack pointer +usage, so its value should be read only once. + +Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") + +CVE: CVE-2017-17712 +Upstream-Status: Backport + +Signed-off-by: Mohamed Ghannam +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Andreas Wellving +--- + net/ipv4/raw.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 9a2294d..acf09ab 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -496,11 +496,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + int err; + struct ip_options_data opt_copy; + struct raw_frag_vec rfv; ++ int hdrincl; + + err = -EMSGSIZE; + if (len > 0xFFFF) + goto out; + ++ /* hdrincl should be READ_ONCE(inet->hdrincl) ++ * but READ_ONCE() doesn't work with bit fields ++ */ ++ hdrincl = inet->hdrincl; + /* + * Check the flags. + */ +@@ -575,7 +580,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + /* Linux does not mangle headers on raw sockets, + * so that IP options + IP_HDRINCL is non-sense. + */ +- if (inet->hdrincl) ++ if (hdrincl) + goto done; + if (ipc.opt->opt.srr) { + if (!daddr) +@@ -597,12 +602,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + + flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, + RT_SCOPE_UNIVERSE, +- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, ++ hdrincl ? IPPROTO_RAW : sk->sk_protocol, + inet_sk_flowi_flags(sk) | +- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), ++ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), + daddr, saddr, 0, 0); + +- if (!inet->hdrincl) { ++ if (!hdrincl) { + rfv.msg = msg; + rfv.hlen = 0; + +@@ -627,7 +632,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + goto do_confirm; + back_from_confirm: + +- if (inet->hdrincl) ++ if (hdrincl) + err = raw_send_hdrinc(sk, &fl4, msg, len, + &rt, msg->msg_flags); + +-- -- cgit v1.2.3-54-g00ecf