commit: db24a13c10ab6eb294f0ac692702cd67868d374e Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Fri Dec 9 00:41:37 2016 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Fri Dec 9 00:41:37 2016 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=db24a13c
Fix race condition in packet_set_ring. CVE-2016-8655. Bug #601926. 0000_README | 4 ++ 1520_fix-race-condition-in-packet-set-ring.patch | 62 ++++++++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/0000_README b/0000_README index b783e9c..866b122 100644 --- a/0000_README +++ b/0000_README @@ -326,6 +326,10 @@ Patch: 1510_fs-enable-link-security-restrictions-by-default.patch From: http://sources.debian.net/src/linux/3.16.7-ckt4-3/debian/patches/debian/fs-enable-link-security-restrictions-by-default.patch/ Desc: Enable link security restrictions by default +Patch: 1520_fix-race-condition-in-packet-set-ring.patch +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c +Desc: packet: fix race condition in packet_set_ring. CVE-2016-8655. Bug #601926. + Patch: 1700_enable-thinkpad-micled.patch From: https://bugs.gentoo.org/show_bug.cgi?id=449248 Desc: Enable mic mute led in thinkpads diff --git a/1520_fix-race-condition-in-packet-set-ring.patch b/1520_fix-race-condition-in-packet-set-ring.patch new file mode 100644 index 0000000..d85527f --- /dev/null +++ b/1520_fix-race-condition-in-packet-set-ring.patch @@ -0,0 +1,62 @@ +--- a/net/packet/af_packet.c 2016-12-07 18:10:25.785812861 -0500 ++++ b/net/packet/af_packet.c 2016-12-07 18:18:45.597933525 -0500 +@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, i + + if (optlen != sizeof(val)) + return -EINVAL; +- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) +- return -EBUSY; + if (copy_from_user(&val, optval, sizeof(val))) + return -EFAULT; + switch (val) { + case TPACKET_V1: + case TPACKET_V2: + case TPACKET_V3: +- po->tp_version = val; +- return 0; ++ break; + default: + return -EINVAL; + } ++ lock_sock(sk); ++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) { ++ ret = -EBUSY; ++ } else { ++ po->tp_version = val; ++ ret = 0; ++ } ++ release_sock(sk); ++ return ret; + } + case PACKET_RESERVE: + { +@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock * + /* Added to avoid minimal code churn */ + struct tpacket_req *req = &req_u->req; + ++ lock_sock(sk); + /* Opening a Tx-ring is NOT supported in TPACKET_V3 */ + if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) { + net_warn_ratelimited("Tx-ring is not supported.\n"); +@@ -4245,8 +4252,6 @@ static int packet_set_ring(struct sock * + goto out; + } + +- lock_sock(sk); +- + /* Detach socket from network */ + spin_lock(&po->bind_lock); + was_running = po->running; +@@ -4294,11 +4299,11 @@ static int packet_set_ring(struct sock * + if (!tx_ring) + prb_shutdown_retire_blk_timer(po, rb_queue); + } +- release_sock(sk); + + if (pg_vec) + free_pg_vec(pg_vec, order, req->tp_block_nr); + out: ++ release_sock(sk); + return err; + } +
