From patchwork Thu Oct  5 10:47:48 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Juerg Haefliger <juerg.haefliger@canonical.com>
X-Patchwork-Id: 821697
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3y78cb1vNbz9t4X;
	Thu,  5 Oct 2017 21:47:59 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1e03h2-0007IH-O0; Thu, 05 Oct 2017 10:47:52 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <juerg.haefliger@canonical.com>)
	id 1e03h0-0007Hf-TE
	for kernel-team@lists.ubuntu.com; Thu, 05 Oct 2017 10:47:50 +0000
Received: from mail-wr0-f199.google.com ([209.85.128.199])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <juerg.haefliger@canonical.com>)
	id 1e03h0-0007fW-Lh
	for kernel-team@lists.ubuntu.com; Thu, 05 Oct 2017 10:47:50 +0000
Received: by mail-wr0-f199.google.com with SMTP id p46so12409859wrb.1
	for <kernel-team@lists.ubuntu.com>;
	Thu, 05 Oct 2017 03:47:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=UxqQXEaAVwVKUq8bAeIN3lHWqiE2SPlRvTX+j8WQjgQ=;
	b=r0IBxRCGuiuJNj/A8H4fRnWmhLw7sq2BUxH/UtCCpQBxA3BBSv9d48CAExce0Dz55H
	LMzf9v/E0jONMhVQYnc0tz1YmZYYBLchTbf39MNnpMdGMMkOKltGqGESSaoob3aHMcnw
	ct29wKn/BqbSiYDCzOH0d9/SBaOLCsQYCe+X/S2XBRpGy8Th8HbyLWUGGwsk5R8voraH
	adAEmZj3sgYTAcWjxR00MZqaNY2ugPaAzEQrKThTMcMlJXfR0PVOUP2Mk4pCJRaAUyRs
	vQR/YHwG5Q6JY5pPxPKZXgMkpo2oPtaK//of9I3E5EkTJXlI8HTg8rZ1/hQRefatSSKr
	sT1g==
X-Gm-Message-State: AHPjjUiY+E980oKhHDnL+WhZCmX19hHV0yBiEFgCcx3f6cA9JgvAh2SX
	VvZF8IS8/Lq5uhxh5KmWyH1uQVxjXO/33vCMRFnxnQwwz6lX1iouUQocf6alALUeDXYycKnvNDg
	rkT6BSyzQhkWVLSLwqWEP6oHPZWry3aaXzizEusBMrw==
X-Received: by 10.80.220.202 with SMTP id v10mr31854723edk.226.1507200470138;
	Thu, 05 Oct 2017 03:47:50 -0700 (PDT)
X-Google-Smtp-Source: 
 AOwi7QD0hK6M4fn9BX1aQzOe7nlfH1xsAs4mqx7XEXAZ6fQ74xzqfCyHSny8qnpdN8pHdHuycM4aGw==
X-Received: by 10.80.220.202 with SMTP id v10mr31854710edk.226.1507200469969;
	Thu, 05 Oct 2017 03:47:49 -0700 (PDT)
Received: from gollum.fritz.box (adsl-84-227-115-101.adslplus.ch.
	[84.227.115.101]) by smtp.gmail.com with ESMTPSA id
	l4sm4014800edc.20.2017.10.05.03.47.48
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 05 Oct 2017 03:47:49 -0700 (PDT)
From: Juerg Haefliger <juerg.haefliger@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][P-ESM/T/Z][CVE-2017-11176][PATCH] mqueue: fix a use-after-free
	in sys_mq_notify()
Date: Thu,  5 Oct 2017 12:47:48 +0200
Message-Id: <20171005104748.29518-1-juerg.haefliger@canonical.com>
X-Mailer: git-send-email 2.14.1
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Cong Wang <xiyou.wangcong@gmail.com>

The retry logic for netlink_attachskb() inside sys_mq_notify()
is nasty and vulnerable:

1) The sock refcnt is already released when retry is needed
2) The fd is controllable by user-space because we already
   release the file refcnt

so we when retry but the fd has been just closed by user-space
during this small window, we end up calling netlink_detachskb()
on the error path which releases the sock again, later when
the user-space closes this socket a use-after-free could be
triggered.

Setting 'sock' to NULL here should be sufficient to fix it.

CVE-2017-11176

Reported-by: GeneBlue <geneblue.mail@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit f991af3daabaecff34684fd51fac80319d1baad1)
Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com>
Acked-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 ipc/mqueue.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 5b4293d9819d..081a2d74b0d1 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -1095,8 +1095,10 @@ retry:
 
 			timeo = MAX_SCHEDULE_TIMEOUT;
 			ret = netlink_attachskb(sock, nc, &timeo, NULL);
-			if (ret == 1)
+			if (ret == 1) {
+				sock = NULL;
 				goto retry;
+			}
 			if (ret) {
 				sock = NULL;
 				nc = NULL;