Muehlenhoff has uploaded a new change for review.
https://gerrit.wikimedia.org/r/288151
Change subject: Cherrypick 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 to address
CVE-2016-4557
......................................................................
Cherrypick 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 to address CVE-2016-4557
Change-Id: Ib2a37ef6f4a4603e6fa2a7ce951a95250252809d
---
M debian/changelog
A debian/patches/bugfix/all/CVE-2016-4557.patch
M debian/patches/series
3 files changed, 50 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44
refs/changes/51/288151/1
diff --git a/debian/changelog b/debian/changelog
index bdd829d..4ead2f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -31,8 +31,10 @@
- CVE-2016-3961 [103f6112f253017d7062cd74d17f4a514ed4485c]
Remove misc-bmp085-Enable-building-as-a-module.patch which is
merged in 4.4.9
+ * Cherrypick 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 to address
+ CVE-2016-4557
- -- Moritz Muehlenhoff <[email protected]> Thu, 10 Mar 2016 09:08:54
+0100
+ -- Moritz Muehlenhoff <[email protected]> Wed, 11 May 2016 08:52:37
+0100
linux (4.4.2-3+wmf1) jessie-wikimedia; urgency=medium
diff --git a/debian/patches/bugfix/all/CVE-2016-4557.patch
b/debian/patches/bugfix/all/CVE-2016-4557.patch
new file mode 100644
index 0000000..b235a0a
--- /dev/null
+++ b/debian/patches/bugfix/all/CVE-2016-4557.patch
@@ -0,0 +1,46 @@
+From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <[email protected]>
+Date: Tue, 26 Apr 2016 22:26:26 +0200
+Subject: bpf: fix double-fdput in replace_map_fd_with_map_ptr()
+
+When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
+references a non-map file descriptor as a map file descriptor, the error
+handling code called fdput() twice instead of once (in __bpf_map_get() and
+in replace_map_fd_with_map_ptr()). If the file descriptor table of the
+current task is shared, this causes f_count to be decremented too much,
+allowing the struct file to be freed while it is still in use
+(use-after-free). This can be exploited to gain root privileges by an
+unprivileged user.
+
+This bug was introduced in
+commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
+exploitable since
+commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
+previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
+
+(posted publicly according to request by maintainer)
+
+Signed-off-by: Jann Horn <[email protected]>
+Signed-off-by: Linus Torvalds <[email protected]>
+Acked-by: Alexei Starovoitov <[email protected]>
+Acked-by: Daniel Borkmann <[email protected]>
+Signed-off-by: David S. Miller <[email protected]>
+---
+ kernel/bpf/verifier.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 618ef77..db2574e 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct
verifier_env *env)
+ if (IS_ERR(map)) {
+ verbose("fd %d is not pointing to valid
bpf_map\n",
+ insn->imm);
+- fdput(f);
+ return PTR_ERR(map);
+ }
+
+--
+cgit v0.12
+
diff --git a/debian/patches/series b/debian/patches/series
index 1f348b5..b0877fb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -111,3 +111,4 @@
bugfix/all/stable-4.4.7.patch
bugfix/all/stable-4.4.8.patch
bugfix/all/stable-4.4.9.patch
+bugfix/all/CVE-2016-4557.patch
\ No newline at end of file
--
To view, visit https://gerrit.wikimedia.org/r/288151
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib2a37ef6f4a4603e6fa2a7ce951a95250252809d
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
