Date: Tuesday, December 6, 2016 @ 12:06:47 Author: andyrtr Revision: 282873
upgpkg: linux-lts 4.4.36-1 upstream update 4.4.36; CVE-2016-8655 Added: linux-lts/trunk/fix_race_condition_in_packet_set_ring.diff Modified: linux-lts/trunk/PKGBUILD --------------------------------------------+ PKGBUILD | 16 +++-- fix_race_condition_in_packet_set_ring.diff | 84 +++++++++++++++++++++++++++ 2 files changed, 95 insertions(+), 5 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2016-12-06 11:08:10 UTC (rev 282872) +++ PKGBUILD 2016-12-06 12:06:47 UTC (rev 282873) @@ -4,10 +4,10 @@ pkgbase=linux-lts #pkgbase=linux-lts-custom _srcname=linux-4.4 -pkgver=4.4.35 +pkgver=4.4.36 pkgrel=1 arch=('i686' 'x86_64') -url="http://www.kernel.org/" +url="https://www.kernel.org/" license=('GPL2') makedepends=('xmlto' 'docbook-xsl' 'kmod' 'inetutils' 'bc') options=('!strip') @@ -18,17 +18,19 @@ # standard config files for mkinitcpio ramdisk linux-lts.preset change-default-console-loglevel.patch - 0001-sdhci-revert.patch) + 0001-sdhci-revert.patch + fix_race_condition_in_packet_set_ring.diff) # https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc sha256sums=('401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2' 'SKIP' - '5d0cc352645127191767e1c33f78c48dfdee7022fe425639a4c95a901d5e5c77' + '468ddfe3f29c314b40e32410c796fda9277620d50bc47b50fafc8a5a4c375e61' 'SKIP' 'b11702727b1503e5a613946790978481d34d8ecc6870337fadd3ce1ef084a8e2' '68c7296ff2f5f55d69e83aa4d20f925df740b1eb1e6bdb0f13e8a170360ed09f' '1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0' '1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99' - '5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375') + '5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375' + 'ad1ee95f906f88d31fcdb9273cd08e02e8eda177449f0c98dc1bff8cbf1483c2') validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds <torva...@linux-foundation.org> '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman (Linux kernel stable release signing key) <g...@kroah.com> ) @@ -40,6 +42,10 @@ # add upstream patch patch -p1 -i "${srcdir}/patch-${pkgver}" + # fix a race condition that allows to gain root + # https://marc.info/?l=linux-netdev&m=148054660230570&w=2 + patch -p1 -i "${srcdir}/fix_race_condition_in_packet_set_ring.diff" + # add latest fixes from stable queue, if needed # http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git Added: fix_race_condition_in_packet_set_ring.diff =================================================================== --- fix_race_condition_in_packet_set_ring.diff (rev 0) +++ fix_race_condition_in_packet_set_ring.diff 2016-12-06 12:06:47 UTC (rev 282873) @@ -0,0 +1,84 @@ +From: Philip Pettersson <philip.petters...@gmail.com> + +When packet_set_ring creates a ring buffer it will initialize a +struct timer_list if the packet version is TPACKET_V3. This value +can then be raced by a different thread calling setsockopt to +set the version to TPACKET_V1 before packet_set_ring has finished. + +This leads to a use-after-free on a function pointer in the +struct timer_list when the socket is closed as the previously +initialized timer will not be deleted. + +The bug is fixed by taking lock_sock(sk) in packet_setsockopt when +changing the packet version while also taking the lock at the start +of packet_set_ring. + +Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") +Signed-off-by: Philip Pettersson <philip.petters...@gmail.com> +Signed-off-by: Eric Dumazet <eduma...@google.com> +--- + net/packet/af_packet.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index d2238b204691b8e4f2e3acb9bc167b553ba32d50..dd2332390c45bbff7c3fc5d259453f2e1ca352bf 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + switch (val) { + case TPACKET_V1: + case TPACKET_V2: + case TPACKET_V3: +- po->tp_version = val; +- return 0; ++ break; + default: + return -EINVAL; + } ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_version = val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_RESERVE: + { +@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + /* Added to avoid minimal code churn */ + struct tpacket_req *req = &req_u->req; + ++ lock_sock(sk); + /* Opening a Tx-ring is NOT supported in TPACKET_V3 */ + if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) { + net_warn_ratelimited("Tx-ring is not supported.\n"); +@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + goto out; + } + +- lock_sock(sk); + + /* Detach socket from network */ + spin_lock(&po->bind_lock); +@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, + if (!tx_ring) + prb_shutdown_retire_blk_timer(po, rb_queue); + } +- release_sock(sk); + + if (pg_vec) + free_pg_vec(pg_vec, order, req->tp_block_nr); + out: ++ release_sock(sk); + return err; + }