CVE-2017-6353 Possible double free in stcp_sendmsg (rhbz 1428907 1428910)

kernel-aarch64-debug.config

@@ -1688,7 +1688,7 @@ CONFIG_GPIO_PL061=y
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 CONFIG_GPIO_TEGRA=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set

kernel-aarch64.config

@@ -1671,7 +1671,7 @@ CONFIG_GPIO_PL061=y
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 CONFIG_GPIO_TEGRA=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set

kernel-armv7hl-debug.config

@@ -1838,7 +1838,7 @@ CONFIG_GPIO_PL061=y
 CONFIG_GPIO_STMPE=y
 # CONFIG_GPIO_SX150X is not set
 CONFIG_GPIO_SYSCON=m
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 CONFIG_GPIO_TEGRA=y
 # CONFIG_GPIO_TPIC2810 is not set
 CONFIG_GPIO_TPS65218=m

kernel-armv7hl-lpae-debug.config

@@ -1753,7 +1753,7 @@ CONFIG_GPIO_PL061=y
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 CONFIG_GPIO_SYSCON=m
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 CONFIG_GPIO_TEGRA=y
 # CONFIG_GPIO_TPIC2810 is not set
 CONFIG_GPIO_TPS65910=y

kernel-armv7hl-lpae.config

@@ -1737,7 +1737,7 @@ CONFIG_GPIO_PL061=y
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 CONFIG_GPIO_SYSCON=m
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 CONFIG_GPIO_TEGRA=y
 # CONFIG_GPIO_TPIC2810 is not set
 CONFIG_GPIO_TPS65910=y

kernel-armv7hl.config

@@ -1822,7 +1822,7 @@ CONFIG_GPIO_PL061=y
 CONFIG_GPIO_STMPE=y
 # CONFIG_GPIO_SX150X is not set
 CONFIG_GPIO_SYSCON=m
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 CONFIG_GPIO_TEGRA=y
 # CONFIG_GPIO_TPIC2810 is not set
 CONFIG_GPIO_TPS65218=m

kernel-i686-PAE.config

@@ -1580,7 +1580,7 @@ CONFIG_GPIO_SCH=m
 # CONFIG_GPIO_SODAVILLE is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-i686-PAEdebug.config

@@ -1597,7 +1597,7 @@ CONFIG_GPIO_SCH=m
 # CONFIG_GPIO_SODAVILLE is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-i686-debug.config

@@ -1597,7 +1597,7 @@ CONFIG_GPIO_SCH=m
 # CONFIG_GPIO_SODAVILLE is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-i686.config

@@ -1580,7 +1580,7 @@ CONFIG_GPIO_SCH=m
 # CONFIG_GPIO_SODAVILLE is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-ppc64-debug.config

@@ -1521,7 +1521,7 @@ CONFIG_GPIO_PCF857X=m
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-ppc64.config

@@ -1504,7 +1504,7 @@ CONFIG_GPIO_PCF857X=m
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-ppc64le-debug.config

@@ -1475,7 +1475,7 @@ CONFIG_GPIO_PCF857X=m
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-ppc64le.config

@@ -1458,7 +1458,7 @@ CONFIG_GPIO_PCF857X=m
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-ppc64p7-debug.config

@@ -1474,7 +1474,7 @@ CONFIG_GPIO_PCF857X=m
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-ppc64p7.config

@@ -1457,7 +1457,7 @@ CONFIG_GPIO_PCF857X=m
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-s390x-debug.config

@@ -1448,7 +1448,7 @@ CONFIG_GPIOLIB=y
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-s390x.config

@@ -1431,7 +1431,7 @@ CONFIG_GPIOLIB=y
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-x86_64-debug.config

@@ -1623,7 +1623,7 @@ CONFIG_GPIOLIB=y
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel-x86_64.config

@@ -1606,7 +1606,7 @@ CONFIG_GPIOLIB=y
 # CONFIG_GPIO_SCH is not set
 # CONFIG_GPIO_SX150X is not set
 # CONFIG_GPIO_SYSCON is not set
-# CONFIG_GPIO_SYSFS is not set
+CONFIG_GPIO_SYSFS=y
 # CONFIG_GPIO_TPIC2810 is not set
 # CONFIG_GPIO_TS4900 is not set
 # CONFIG_GPIO_TS5500 is not set

kernel.spec

@@ -612,6 +612,9 @@ Patch853: 0001-Work-around-for-gcc7-and-arm64.patch
 #CVE-2017-2596 rhbz 1417812 1417813
 Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
 
+#CVE-2017-6353 rhbz 1428907 1428910
+Patch855: sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2181,6 +2184,9 @@ fi
 #
 #
 %changelog
+* Mon Mar  6 2017 Justin M. Forbes <jforbes@fedoraproject.org>
+- CVE-2017-6353 Possible double free in stcp_sendmsg (rhbz 1428907 1428910)
+
 * Wed Mar  1 2017 Peter Robinson <pbrobinson@fedoraproject.org>
 - Add patch to fix desktop lockups on RPi (vc4) RHBZ# 1389163
 - Minor config cleanups

sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch

@@ -0,0 +1,66 @@
+From dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Thu, 23 Feb 2017 09:31:18 -0300
+Subject: [PATCH] sctp: deny peeloff operation on asocs with threads sleeping
+ on it
+
+commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
+attempted to avoid a BUG_ON call when the association being used for a
+sendmsg() is blocked waiting for more sndbuf and another thread did a
+peeloff operation on such asoc, moving it to another socket.
+
+As Ben Hutchings noticed, then in such case it would return without
+locking back the socket and would cause two unlocks in a row.
+
+Further analysis also revealed that it could allow a double free if the
+application managed to peeloff the asoc that is created during the
+sendmsg call, because then sctp_sendmsg() would try to free the asoc
+that was created only for that call.
+
+This patch takes another approach. It will deny the peeloff operation
+if there is a thread sleeping on the asoc, so this situation doesn't
+exist anymore. This avoids the issues described above and also honors
+the syscalls that are already being handled (it can be multiple sendmsg
+calls).
+
+Joint work with Xin Long.
+
+Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
+Cc: Alexander Popov <alex.popov@linux.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/sctp/socket.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index b532148..465a9c8 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4862,6 +4862,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
+ 	if (!asoc)
+ 		return -EINVAL;
+
++	/* If there is a thread waiting on more sndbuf space for
++	 * sending on this asoc, it cannot be peeled.
++	 */
++	if (waitqueue_active(&asoc->wait))
++		return -EBUSY;
++
+ 	/* An association cannot be branched off from an already peeled-off
+ 	 * socket, nor is this supported for tcp style sockets.
+ 	 */
+@@ -7599,8 +7605,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ 		 */
+ 		release_sock(sk);
+ 		current_timeo = schedule_timeout(current_timeo);
+-		if (sk != asoc->base.sk)
+-			goto do_error;
+ 		lock_sock(sk);
+
+ 		*timeo_p = current_timeo;
+-- 
+2.9.3
+