From ff3f49e499f685591d36072d31f3245d8427a286 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 6 Mar 2017 10:08:53 -0600 Subject: [PATCH] CVE-2017-6353 Possible double free in stcp_sendmsg (rhbz 1428907 1428910) --- kernel-aarch64-debug.config | 2 +- kernel-aarch64.config | 2 +- kernel-armv7hl-debug.config | 2 +- kernel-armv7hl-lpae-debug.config | 2 +- kernel-armv7hl-lpae.config | 2 +- kernel-armv7hl.config | 2 +- kernel-i686-PAE.config | 2 +- kernel-i686-PAEdebug.config | 2 +- kernel-i686-debug.config | 2 +- kernel-i686.config | 2 +- kernel-ppc64-debug.config | 2 +- kernel-ppc64.config | 2 +- kernel-ppc64le-debug.config | 2 +- kernel-ppc64le.config | 2 +- kernel-ppc64p7-debug.config | 2 +- kernel-ppc64p7.config | 2 +- kernel-s390x-debug.config | 2 +- kernel-s390x.config | 2 +- kernel-x86_64-debug.config | 2 +- kernel-x86_64.config | 2 +- kernel.spec | 6 ++ ...f-operation-on-asocs-with-threads-sl.patch | 66 +++++++++++++++++++ 22 files changed, 92 insertions(+), 20 deletions(-) create mode 100644 sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index 17570d6e8..edd165525 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -1688,7 +1688,7 @@ CONFIG_GPIO_PL061=y # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y CONFIG_GPIO_TEGRA=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set diff --git a/kernel-aarch64.config b/kernel-aarch64.config index 4f08f50e0..99868582c 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -1671,7 +1671,7 @@ CONFIG_GPIO_PL061=y # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y CONFIG_GPIO_TEGRA=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index 43acaf70d..cf16a6793 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -1838,7 +1838,7 @@ CONFIG_GPIO_PL061=y CONFIG_GPIO_STMPE=y # CONFIG_GPIO_SX150X is not set CONFIG_GPIO_SYSCON=m -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y CONFIG_GPIO_TEGRA=y # CONFIG_GPIO_TPIC2810 is not set CONFIG_GPIO_TPS65218=m diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index 1189cd87d..1866b1638 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -1753,7 +1753,7 @@ CONFIG_GPIO_PL061=y # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set CONFIG_GPIO_SYSCON=m -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y CONFIG_GPIO_TEGRA=y # CONFIG_GPIO_TPIC2810 is not set CONFIG_GPIO_TPS65910=y diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index ade1672ff..8ee9feedf 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -1737,7 +1737,7 @@ CONFIG_GPIO_PL061=y # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set CONFIG_GPIO_SYSCON=m -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y CONFIG_GPIO_TEGRA=y # CONFIG_GPIO_TPIC2810 is not set CONFIG_GPIO_TPS65910=y diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index 14e0d26b1..51af64def 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -1822,7 +1822,7 @@ CONFIG_GPIO_PL061=y CONFIG_GPIO_STMPE=y # CONFIG_GPIO_SX150X is not set CONFIG_GPIO_SYSCON=m -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y CONFIG_GPIO_TEGRA=y # CONFIG_GPIO_TPIC2810 is not set CONFIG_GPIO_TPS65218=m diff --git a/kernel-i686-PAE.config b/kernel-i686-PAE.config index d2f61e083..18df8a891 100644 --- a/kernel-i686-PAE.config +++ b/kernel-i686-PAE.config @@ -1580,7 +1580,7 @@ CONFIG_GPIO_SCH=m # CONFIG_GPIO_SODAVILLE is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-i686-PAEdebug.config b/kernel-i686-PAEdebug.config index 54b713844..e9ed6473a 100644 --- a/kernel-i686-PAEdebug.config +++ b/kernel-i686-PAEdebug.config @@ -1597,7 +1597,7 @@ CONFIG_GPIO_SCH=m # CONFIG_GPIO_SODAVILLE is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index b1e2edb77..256ae71cc 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -1597,7 +1597,7 @@ CONFIG_GPIO_SCH=m # CONFIG_GPIO_SODAVILLE is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-i686.config b/kernel-i686.config index e245fe93b..4179071a8 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -1580,7 +1580,7 @@ CONFIG_GPIO_SCH=m # CONFIG_GPIO_SODAVILLE is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-ppc64-debug.config b/kernel-ppc64-debug.config index 8478ae12b..026ffc2bd 100644 --- a/kernel-ppc64-debug.config +++ b/kernel-ppc64-debug.config @@ -1521,7 +1521,7 @@ CONFIG_GPIO_PCF857X=m # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-ppc64.config b/kernel-ppc64.config index 00cd43beb..69c5f3d8c 100644 --- a/kernel-ppc64.config +++ b/kernel-ppc64.config @@ -1504,7 +1504,7 @@ CONFIG_GPIO_PCF857X=m # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index 15d615bb6..59393dcba 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -1475,7 +1475,7 @@ CONFIG_GPIO_PCF857X=m # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config index eb3430ad5..793914ca6 100644 --- a/kernel-ppc64le.config +++ b/kernel-ppc64le.config @@ -1458,7 +1458,7 @@ CONFIG_GPIO_PCF857X=m # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-ppc64p7-debug.config b/kernel-ppc64p7-debug.config index 2e8be14bf..66f831cb8 100644 --- a/kernel-ppc64p7-debug.config +++ b/kernel-ppc64p7-debug.config @@ -1474,7 +1474,7 @@ CONFIG_GPIO_PCF857X=m # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-ppc64p7.config b/kernel-ppc64p7.config index ef54bb91a..c5ed24d48 100644 --- a/kernel-ppc64p7.config +++ b/kernel-ppc64p7.config @@ -1457,7 +1457,7 @@ CONFIG_GPIO_PCF857X=m # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config index 56c2d2f2e..773f0b4ef 100644 --- a/kernel-s390x-debug.config +++ b/kernel-s390x-debug.config @@ -1448,7 +1448,7 @@ CONFIG_GPIOLIB=y # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-s390x.config b/kernel-s390x.config index ce053530e..a46da965f 100644 --- a/kernel-s390x.config +++ b/kernel-s390x.config @@ -1431,7 +1431,7 @@ CONFIG_GPIOLIB=y # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index 27449efd2..6aebebd8f 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -1623,7 +1623,7 @@ CONFIG_GPIOLIB=y # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel-x86_64.config b/kernel-x86_64.config index 4fb2d12c3..c83d20f4c 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -1606,7 +1606,7 @@ CONFIG_GPIOLIB=y # CONFIG_GPIO_SCH is not set # CONFIG_GPIO_SX150X is not set # CONFIG_GPIO_SYSCON is not set -# CONFIG_GPIO_SYSFS is not set +CONFIG_GPIO_SYSFS=y # CONFIG_GPIO_TPIC2810 is not set # CONFIG_GPIO_TS4900 is not set # CONFIG_GPIO_TS5500 is not set diff --git a/kernel.spec b/kernel.spec index a61769c65..24d2d5b1f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -612,6 +612,9 @@ Patch853: 0001-Work-around-for-gcc7-and-arm64.patch #CVE-2017-2596 rhbz 1417812 1417813 Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch +#CVE-2017-6353 rhbz 1428907 1428910 +Patch855: sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch + # END OF PATCH DEFINITIONS %endif @@ -2181,6 +2184,9 @@ fi # # %changelog +* Mon Mar 6 2017 Justin M. Forbes +- CVE-2017-6353 Possible double free in stcp_sendmsg (rhbz 1428907 1428910) + * Wed Mar 1 2017 Peter Robinson - Add patch to fix desktop lockups on RPi (vc4) RHBZ# 1389163 - Minor config cleanups diff --git a/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch b/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch new file mode 100644 index 000000000..47f586ace --- /dev/null +++ b/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch @@ -0,0 +1,66 @@ +From dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner +Date: Thu, 23 Feb 2017 09:31:18 -0300 +Subject: [PATCH] sctp: deny peeloff operation on asocs with threads sleeping + on it + +commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") +attempted to avoid a BUG_ON call when the association being used for a +sendmsg() is blocked waiting for more sndbuf and another thread did a +peeloff operation on such asoc, moving it to another socket. + +As Ben Hutchings noticed, then in such case it would return without +locking back the socket and would cause two unlocks in a row. + +Further analysis also revealed that it could allow a double free if the +application managed to peeloff the asoc that is created during the +sendmsg call, because then sctp_sendmsg() would try to free the asoc +that was created only for that call. + +This patch takes another approach. It will deny the peeloff operation +if there is a thread sleeping on the asoc, so this situation doesn't +exist anymore. This avoids the issues described above and also honors +the syscalls that are already being handled (it can be multiple sendmsg +calls). + +Joint work with Xin Long. + +Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") +Cc: Alexander Popov +Cc: Ben Hutchings +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +--- + net/sctp/socket.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index b532148..465a9c8 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4862,6 +4862,12 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp) + if (!asoc) + return -EINVAL; + ++ /* If there is a thread waiting on more sndbuf space for ++ * sending on this asoc, it cannot be peeled. ++ */ ++ if (waitqueue_active(&asoc->wait)) ++ return -EBUSY; ++ + /* An association cannot be branched off from an already peeled-off + * socket, nor is this supported for tcp style sockets. + */ +@@ -7599,8 +7605,6 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + */ + release_sock(sk); + current_timeo = schedule_timeout(current_timeo); +- if (sk != asoc->base.sk) +- goto do_error; + lock_sock(sk); + + *timeo_p = current_timeo; +-- +2.9.3 +