Date: Tuesday, December 6, 2016 @ 12:06:47
Author: andyrtr
Revision: 282873
upgpkg: linux-lts 4.4.36-1
upstream update 4.4.36; CVE-2016-8655
Added:
linux-lts/trunk/fix_race_condition_in_packet_set_ring.diff
Modified:
linux-lts/trunk/PKGBUILD
--------------------------------------------+
PKGBUILD | 16 +++--
fix_race_condition_in_packet_set_ring.diff | 84 +++++++++++++++++++++++++++
2 files changed, 95 insertions(+), 5 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2016-12-06 11:08:10 UTC (rev 282872)
+++ PKGBUILD 2016-12-06 12:06:47 UTC (rev 282873)
@@ -4,10 +4,10 @@
pkgbase=linux-lts
#pkgbase=linux-lts-custom
_srcname=linux-4.4
-pkgver=4.4.35
+pkgver=4.4.36
pkgrel=1
arch=('i686' 'x86_64')
-url="http://www.kernel.org/";
+url="https://www.kernel.org/";
license=('GPL2')
makedepends=('xmlto' 'docbook-xsl' 'kmod' 'inetutils' 'bc')
options=('!strip')
@@ -18,17 +18,19 @@
# standard config files for mkinitcpio ramdisk
linux-lts.preset
change-default-console-loglevel.patch
- 0001-sdhci-revert.patch)
+ 0001-sdhci-revert.patch
+ fix_race_condition_in_packet_set_ring.diff)
# https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
sha256sums=('401d7c8fef594999a460d10c72c5a94e9c2e1022f16795ec51746b0d165418b2'
'SKIP'
- '5d0cc352645127191767e1c33f78c48dfdee7022fe425639a4c95a901d5e5c77'
+ '468ddfe3f29c314b40e32410c796fda9277620d50bc47b50fafc8a5a4c375e61'
'SKIP'
'b11702727b1503e5a613946790978481d34d8ecc6870337fadd3ce1ef084a8e2'
'68c7296ff2f5f55d69e83aa4d20f925df740b1eb1e6bdb0f13e8a170360ed09f'
'1f036f7464da54ae510630f0edb69faa115287f86d9f17641197ffda8cfd49e0'
'1256b241cd477b265a3c2d64bdc19ffe3c9bbcee82ea3994c590c2c76e767d99'
- '5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375')
+ '5313df7cb5b4d005422bd4cd0dae956b2dadba8f3db904275aaf99ac53894375'
+ 'ad1ee95f906f88d31fcdb9273cd08e02e8eda177449f0c98dc1bff8cbf1483c2')
validpgpkeys=('ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
<torva...@linux-foundation.org>
'647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
(Linux kernel stable release signing key) <g...@kroah.com>
)
@@ -40,6 +42,10 @@
# add upstream patch
patch -p1 -i "${srcdir}/patch-${pkgver}"
+ # fix a race condition that allows to gain root
+ # https://marc.info/?l=linux-netdev&m=148054660230570&w=2
+ patch -p1 -i "${srcdir}/fix_race_condition_in_packet_set_ring.diff"
+
# add latest fixes from stable queue, if needed
# http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git
Added: fix_race_condition_in_packet_set_ring.diff
===================================================================
--- fix_race_condition_in_packet_set_ring.diff (rev 0)
+++ fix_race_condition_in_packet_set_ring.diff 2016-12-06 12:06:47 UTC (rev
282873)
@@ -0,0 +1,84 @@
+From: Philip Pettersson <philip.petters...@gmail.com>
+
+When packet_set_ring creates a ring buffer it will initialize a
+struct timer_list if the packet version is TPACKET_V3. This value
+can then be raced by a different thread calling setsockopt to
+set the version to TPACKET_V1 before packet_set_ring has finished.
+
+This leads to a use-after-free on a function pointer in the
+struct timer_list when the socket is closed as the previously
+initialized timer will not be deleted.
+
+The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
+changing the packet version while also taking the lock at the start
+of packet_set_ring.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Signed-off-by: Philip Pettersson <philip.petters...@gmail.com>
+Signed-off-by: Eric Dumazet <eduma...@google.com>
+---
+ net/packet/af_packet.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index
d2238b204691b8e4f2e3acb9bc167b553ba32d50..dd2332390c45bbff7c3fc5d259453f2e1ca352bf
100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, int level, int
optname, char __user *optv
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+ switch (val) {
+ case TPACKET_V1:
+ case TPACKET_V2:
+ case TPACKET_V3:
+- po->tp_version = val;
+- return 0;
++ break;
+ default:
+ return -EINVAL;
+ }
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->tp_version = val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_RESERVE:
+ {
+@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *sk, union
tpacket_req_u *req_u,
+ /* Added to avoid minimal code churn */
+ struct tpacket_req *req = &req_u->req;
+
++ lock_sock(sk);
+ /* Opening a Tx-ring is NOT supported in TPACKET_V3 */
+ if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
+ net_warn_ratelimited("Tx-ring is not supported.\n");
+@@ -4245,7 +4252,6 @@ static int packet_set_ring(struct sock *sk, union
tpacket_req_u *req_u,
+ goto out;
+ }
+
+- lock_sock(sk);
+
+ /* Detach socket from network */
+ spin_lock(&po->bind_lock);
+@@ -4294,11 +4300,11 @@ static int packet_set_ring(struct sock *sk, union
tpacket_req_u *req_u,
+ if (!tx_ring)
+ prb_shutdown_retire_blk_timer(po, rb_queue);
+ }
+- release_sock(sk);
+
+ if (pg_vec)
+ free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
++ release_sock(sk);
+ return err;
+ }
