diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-06-12 16:31:22 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2018-06-12 16:31:22 -0500 |
commit | 2e31e00e00517710286059ae3007f8f500b5ebe9 (patch) | |
tree | 32a5152d33c4c4676d76cc39a147f9a88eb056e5 | |
parent | bb5d6efcd49d17072862662f4b6e80a89b4f8d63 (diff) | |
download | kernel-2e31e00e00517710286059ae3007f8f500b5ebe9.tar.gz kernel-2e31e00e00517710286059ae3007f8f500b5ebe9.tar.xz kernel-2e31e00e00517710286059ae3007f8f500b5ebe9.zip |
Fix CVE-2018-12232 (rhbz 1590215 1590216)
-rw-r--r-- | 0001-socket-close-race-condition-between-sock_close-and-s.patch | 91 | ||||
-rw-r--r-- | kernel.spec | 4 |
2 files changed, 95 insertions, 0 deletions
diff --git a/0001-socket-close-race-condition-between-sock_close-and-s.patch b/0001-socket-close-race-condition-between-sock_close-and-s.patch new file mode 100644 index 000000000..90f52fc3f --- /dev/null +++ b/0001-socket-close-race-condition-between-sock_close-and-s.patch @@ -0,0 +1,91 @@ +From 6d8c50dcb029872b298eea68cc6209c866fd3e14 Mon Sep 17 00:00:00 2001 +From: Cong Wang <xiyou.wangcong@gmail.com> +Date: Thu, 7 Jun 2018 13:39:49 -0700 +Subject: [PATCH] socket: close race condition between sock_close() and + sockfs_setattr() + +fchownat() doesn't even hold refcnt of fd until it figures out +fd is really needed (otherwise is ignored) and releases it after +it resolves the path. This means sock_close() could race with +sockfs_setattr(), which leads to a NULL pointer dereference +since typically we set sock->sk to NULL in ->release(). + +As pointed out by Al, this is unique to sockfs. So we can fix this +in socket layer by acquiring inode_lock in sock_close() and +checking against NULL in sockfs_setattr(). + +sock_release() is called in many places, only the sock_close() +path matters here. And fortunately, this should not affect normal +sock_close() as it is only called when the last fd refcnt is gone. +It only affects sock_close() with a parallel sockfs_setattr() in +progress, which is not common. + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Reported-by: shankarapailoor <shankarapailoor@gmail.com> +Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> +Cc: Lorenzo Colitti <lorenzo@google.com> +Cc: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/socket.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/net/socket.c b/net/socket.c +index af57d85bcb48..8a109012608a 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -541,7 +541,10 @@ static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr) + if (!err && (iattr->ia_valid & ATTR_UID)) { + struct socket *sock = SOCKET_I(d_inode(dentry)); + +- sock->sk->sk_uid = iattr->ia_uid; ++ if (sock->sk) ++ sock->sk->sk_uid = iattr->ia_uid; ++ else ++ err = -ENOENT; + } + + return err; +@@ -590,12 +593,16 @@ EXPORT_SYMBOL(sock_alloc); + * an inode not a file. + */ + +-void sock_release(struct socket *sock) ++static void __sock_release(struct socket *sock, struct inode *inode) + { + if (sock->ops) { + struct module *owner = sock->ops->owner; + ++ if (inode) ++ inode_lock(inode); + sock->ops->release(sock); ++ if (inode) ++ inode_unlock(inode); + sock->ops = NULL; + module_put(owner); + } +@@ -609,6 +616,11 @@ void sock_release(struct socket *sock) + } + sock->file = NULL; + } ++ ++void sock_release(struct socket *sock) ++{ ++ __sock_release(sock, NULL); ++} + EXPORT_SYMBOL(sock_release); + + void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags) +@@ -1171,7 +1183,7 @@ static int sock_mmap(struct file *file, struct vm_area_struct *vma) + + static int sock_close(struct inode *inode, struct file *filp) + { +- sock_release(SOCKET_I(inode)); ++ __sock_release(SOCKET_I(inode), inode); + return 0; + } + +-- +2.17.1 + diff --git a/kernel.spec b/kernel.spec index 13fb1f66d..081f52fcc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -631,6 +631,9 @@ Patch504: mailbox-ACPI-erroneous-error-message-when-parsing-ACPI.patch # CVE-2018-10853 rhbz 1589890 1589892 Patch505: kvm-x86-Check-CPL-in-segmented_write_std.patch +# CVE-2018-12232 rhbz 1590215 1590216 +Patch506: 0001-socket-close-race-condition-between-sock_close-and-s.patch + # END OF PATCH DEFINITIONS %endif @@ -1868,6 +1871,7 @@ fi %changelog * Tue Jun 12 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.1-200 - Linux v4.17.1 +- Fix CVE-2018-12232 (rhbz 1590215 1590216) * Mon Jun 11 2018 Justin M. Forbes <jforbes@fedoraproject.org> - Fix CVE-2018-10853 (rhbz 1589890 1589892) |