3cd12006bb
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
52 lines
1.6 KiB
Diff
52 lines
1.6 KiB
Diff
From c6b013ca69eea1b231191d12ff6392ad5313e6c7 Mon Sep 17 00:00:00 2001
|
|
Message-Id: <c6b013ca69eea1b231191d12ff6392ad5313e6c7.1517518298.git.Jim.Somerville@windriver.com>
|
|
From: Cong Wang <xiyou.wangcong@gmail.com>
|
|
Date: Sun, 9 Jul 2017 13:19:55 -0700
|
|
Subject: [PATCH 1/1] mqueue: fix a use-after-free in sys_mq_notify()
|
|
|
|
The retry logic for netlink_attachskb() inside sys_mq_notify()
|
|
is nasty and vulnerable:
|
|
|
|
1) The sock refcnt is already released when retry is needed
|
|
2) The fd is controllable by user-space because we already
|
|
release the file refcnt
|
|
|
|
so we when retry but the fd has been just closed by user-space
|
|
during this small window, we end up calling netlink_detachskb()
|
|
on the error path which releases the sock again, later when
|
|
the user-space closes this socket a use-after-free could be
|
|
triggered.
|
|
|
|
Setting 'sock' to NULL here should be sufficient to fix it.
|
|
|
|
Reported-by: GeneBlue <geneblue.mail@gmail.com>
|
|
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
|
|
Cc: Andrew Morton <akpm@linux-foundation.org>
|
|
Cc: Manfred Spraul <manfred@colorfullife.com>
|
|
Cc: stable@kernel.org
|
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
|
|
---
|
|
ipc/mqueue.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/ipc/mqueue.c b/ipc/mqueue.c
|
|
index ae9cf6a..8a244f4 100644
|
|
--- a/ipc/mqueue.c
|
|
+++ b/ipc/mqueue.c
|
|
@@ -1254,8 +1254,10 @@ retry:
|
|
|
|
timeo = MAX_SCHEDULE_TIMEOUT;
|
|
ret = netlink_attachskb(sock, nc, &timeo, NULL);
|
|
- if (ret == 1)
|
|
+ if (ret == 1) {
|
|
+ sock = NULL;
|
|
goto retry;
|
|
+ }
|
|
if (ret) {
|
|
sock = NULL;
|
|
nc = NULL;
|
|
--
|
|
1.8.3.1
|
|
|