summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2018-06-12 16:31:22 -0500
committerJustin M. Forbes <jforbes@fedoraproject.org>2018-06-12 16:31:22 -0500
commit2e31e00e00517710286059ae3007f8f500b5ebe9 (patch)
tree32a5152d33c4c4676d76cc39a147f9a88eb056e5
parentbb5d6efcd49d17072862662f4b6e80a89b4f8d63 (diff)
downloadkernel-2e31e00e00517710286059ae3007f8f500b5ebe9.tar.gz
kernel-2e31e00e00517710286059ae3007f8f500b5ebe9.tar.xz
kernel-2e31e00e00517710286059ae3007f8f500b5ebe9.zip
Fix CVE-2018-12232 (rhbz 1590215 1590216)
-rw-r--r--0001-socket-close-race-condition-between-sock_close-and-s.patch91
-rw-r--r--kernel.spec4
2 files changed, 95 insertions, 0 deletions
diff --git a/0001-socket-close-race-condition-between-sock_close-and-s.patch b/0001-socket-close-race-condition-between-sock_close-and-s.patch
new file mode 100644
index 000000000..90f52fc3f
--- /dev/null
+++ b/0001-socket-close-race-condition-between-sock_close-and-s.patch
@@ -0,0 +1,91 @@
+From 6d8c50dcb029872b298eea68cc6209c866fd3e14 Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 7 Jun 2018 13:39:49 -0700
+Subject: [PATCH] socket: close race condition between sock_close() and
+ sockfs_setattr()
+
+fchownat() doesn't even hold refcnt of fd until it figures out
+fd is really needed (otherwise is ignored) and releases it after
+it resolves the path. This means sock_close() could race with
+sockfs_setattr(), which leads to a NULL pointer dereference
+since typically we set sock->sk to NULL in ->release().
+
+As pointed out by Al, this is unique to sockfs. So we can fix this
+in socket layer by acquiring inode_lock in sock_close() and
+checking against NULL in sockfs_setattr().
+
+sock_release() is called in many places, only the sock_close()
+path matters here. And fortunately, this should not affect normal
+sock_close() as it is only called when the last fd refcnt is gone.
+It only affects sock_close() with a parallel sockfs_setattr() in
+progress, which is not common.
+
+Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
+Reported-by: shankarapailoor <shankarapailoor@gmail.com>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/socket.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/net/socket.c b/net/socket.c
+index af57d85bcb48..8a109012608a 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -541,7 +541,10 @@ static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr)
+ if (!err && (iattr->ia_valid & ATTR_UID)) {
+ struct socket *sock = SOCKET_I(d_inode(dentry));
+
+- sock->sk->sk_uid = iattr->ia_uid;
++ if (sock->sk)
++ sock->sk->sk_uid = iattr->ia_uid;
++ else
++ err = -ENOENT;
+ }
+
+ return err;
+@@ -590,12 +593,16 @@ EXPORT_SYMBOL(sock_alloc);
+ * an inode not a file.
+ */
+
+-void sock_release(struct socket *sock)
++static void __sock_release(struct socket *sock, struct inode *inode)
+ {
+ if (sock->ops) {
+ struct module *owner = sock->ops->owner;
+
++ if (inode)
++ inode_lock(inode);
+ sock->ops->release(sock);
++ if (inode)
++ inode_unlock(inode);
+ sock->ops = NULL;
+ module_put(owner);
+ }
+@@ -609,6 +616,11 @@ void sock_release(struct socket *sock)
+ }
+ sock->file = NULL;
+ }
++
++void sock_release(struct socket *sock)
++{
++ __sock_release(sock, NULL);
++}
+ EXPORT_SYMBOL(sock_release);
+
+ void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags)
+@@ -1171,7 +1183,7 @@ static int sock_mmap(struct file *file, struct vm_area_struct *vma)
+
+ static int sock_close(struct inode *inode, struct file *filp)
+ {
+- sock_release(SOCKET_I(inode));
++ __sock_release(SOCKET_I(inode), inode);
+ return 0;
+ }
+
+--
+2.17.1
+
diff --git a/kernel.spec b/kernel.spec
index 13fb1f66d..081f52fcc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -631,6 +631,9 @@ Patch504: mailbox-ACPI-erroneous-error-message-when-parsing-ACPI.patch
# CVE-2018-10853 rhbz 1589890 1589892
Patch505: kvm-x86-Check-CPL-in-segmented_write_std.patch
+# CVE-2018-12232 rhbz 1590215 1590216
+Patch506: 0001-socket-close-race-condition-between-sock_close-and-s.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1868,6 +1871,7 @@ fi
%changelog
* Tue Jun 12 2018 Justin M. Forbes <jforbes@fedoraproject.org> - 4.17.1-200
- Linux v4.17.1
+- Fix CVE-2018-12232 (rhbz 1590215 1590216)
* Mon Jun 11 2018 Justin M. Forbes <jforbes@fedoraproject.org>
- Fix CVE-2018-10853 (rhbz 1589890 1589892)