From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, GeneBlue <geneblue.mail@gmail.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Manfred Spraul <manfred@colorfullife.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.4 30/57] mqueue: fix a use-after-free in sys_mq_notify()
Date: Thu, 13 Jul 2017 17:42:45 +0200 [thread overview]
Message-ID: <20170713153959.746019711@linuxfoundation.org> (raw)
In-Reply-To: <20170713153957.515045341@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit f991af3daabaecff34684fd51fac80319d1baad1 upstream.
The retry logic for netlink_attachskb() inside sys_mq_notify()
is nasty and vulnerable:
1) The sock refcnt is already released when retry is needed
2) The fd is controllable by user-space because we already
release the file refcnt
so we when retry but the fd has been just closed by user-space
during this small window, we end up calling netlink_detachskb()
on the error path which releases the sock again, later when
the user-space closes this socket a use-after-free could be
triggered.
Setting 'sock' to NULL here should be sufficient to fix it.
Reported-by: GeneBlue <geneblue.mail@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
ipc/mqueue.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -1251,8 +1251,10 @@ retry:
timeo = MAX_SCHEDULE_TIMEOUT;
ret = netlink_attachskb(sock, nc, &timeo, NULL);
- if (ret == 1)
+ if (ret == 1) {
+ sock = NULL;
goto retry;
+ }
if (ret) {
sock = NULL;
nc = NULL;
next prev parent reply other threads:[~2017-07-13 15:46 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-13 15:42 [PATCH 4.4 00/57] 4.4.77-stable review Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 01/57] fs: add a VALID_OPEN_FLAGS Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 02/57] fs: completely ignore unknown open flags Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 03/57] driver core: platform: fix race condition with driver_override Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 05/57] mm: fix classzone_idx underflow in shrink_zones() Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 06/57] tracing/kprobes: Allow to create probe with a module name starting with a digit Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 08/57] usb: dwc3: replace %p with %pK Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 09/57] USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 10/57] Add USB quirk for HVR-950q to avoid intermittent device resets Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 11/57] usb: usbip: set buffer pointers to NULL after free Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 12/57] usb: Fix typo in the definition of Endpoint[out]Request Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 13/57] mac80211_hwsim: Replace bogus hrtimer clockid Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 14/57] sysctl: dont print negative flag for proc_douintvec Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 15/57] sysctl: report EINVAL if value is larger than UINT_MAX " Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 16/57] pinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 17/57] pinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 18/57] pinctrl: meson: meson8b: fix the NAND DQS pins Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 19/57] pinctrl: sunxi: Fix SPDIF function name for A83T Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 21/57] pinctrl: sh-pfc: Update info pointer after SoC-specific init Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 24/57] gfs2: Fix glock rhashtable rcu bug Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 26/57] x86/uaccess: Optimize copy_user_enhanced_fast_string() for short strings Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 27/57] ath10k: override CE5 config for QCA9377 Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 28/57] KEYS: Fix an error code in request_master_key() Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 29/57] RDMA/uverbs: Check port number supplied by user verbs cmds Greg Kroah-Hartman
2017-07-13 15:54 ` Ismail, Mustafa
2017-07-13 16:25 ` Greg Kroah-Hartman
2017-07-13 18:44 ` Ismail, Mustafa
2017-07-14 6:49 ` Greg Kroah-Hartman
2017-07-14 14:54 ` Ismail, Mustafa
2017-07-17 17:30 ` Marciniszyn, Mike
2017-07-17 19:22 ` Greg Kroah-Hartman
2017-07-17 19:24 ` Marciniszyn, Mike
2017-07-13 15:42 ` Greg Kroah-Hartman [this message]
2017-07-13 15:42 ` [PATCH 4.4 31/57] tools include: Add a __fallthrough statement Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 32/57] tools string: Use __fallthrough in perf_atoll() Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 33/57] tools strfilter: Use __fallthrough Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 34/57] perf top: " Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 35/57] perf intel-pt: " Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 36/57] perf thread_map: Correctly size buffer used with dirent->dt_name Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 37/57] perf scripting perl: Fix compile error with some perl5 versions Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 38/57] perf tests: Avoid possible truncation with dirent->d_name + snprintf Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 39/57] perf bench numa: Avoid possible truncation when using snprintf() Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 40/57] perf tools: Use readdir() instead of deprecated readdir_r() Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 41/57] perf thread_map: " Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 42/57] perf script: " Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 43/57] perf tools: Remove duplicate const qualifier Greg Kroah-Hartman
2017-07-13 15:42 ` [PATCH 4.4 44/57] perf annotate browser: Fix behaviour of Shift-Tab with nothing focussed Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 45/57] perf pmu: Fix misleadingly indented assignment (whitespace) Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 46/57] perf dwarf: Guard !x86_64 definitions under #ifdef else clause Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 47/57] perf trace: Do not process PERF_RECORD_LOST twice Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 48/57] perf tests: Remove wrong semicolon in while loop in CQM test Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 49/57] perf tools: Use readdir() instead of deprecated readdir_r() again Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 50/57] md: fix incorrect use of lexx_to_cpu in does_sb_need_changing Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 51/57] md: fix super_offset endianness in super_1_rdev_size_change Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 52/57] tcp: fix tcp_mark_head_lost to check skb len before fragmenting Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 53/57] staging: vt6556: vnt_start Fix missing call to vnt_key_init_table Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 54/57] staging: comedi: fix clean-up of comedi_class in comedi_init() Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 55/57] ext4: check return value of kstrtoull correctly in reserved_clusters_store Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 56/57] x86/mm/pat: Dont report PAT on CPUs that dont support it Greg Kroah-Hartman
2017-07-13 15:43 ` [PATCH 4.4 57/57] [media] saa7134: fix warm Medion 7134 EEPROM read Greg Kroah-Hartman
2017-07-14 1:33 ` [PATCH 4.4 00/57] 4.4.77-stable review Guenter Roeck
2017-07-14 9:50 ` Greg Kroah-Hartman
2017-07-14 19:23 ` Guenter Roeck
2017-07-15 8:10 ` Greg Kroah-Hartman
[not found] ` <5967e121.9fb6df0a.979fe.f2ca@mx.google.com>
2017-07-14 9:51 ` Greg Kroah-Hartman
2017-07-14 12:21 ` Arnd Bergmann
2017-07-14 13:26 ` Greg Kroah-Hartman
2017-07-14 19:54 ` Arnd Bergmann
2017-07-18 22:56 ` Kevin Hilman
2017-07-15 11:16 ` Geert Uytterhoeven
2017-07-15 11:22 ` Greg Kroah-Hartman
2017-07-14 12:35 ` Mark Brown
2017-07-14 13:26 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170713153959.746019711@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=geneblue.mail@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=manfred@colorfullife.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).