Linux v4.20.12
This commit is contained in:
Justin M. Forbes
parent
6b699fc046
commit
6516cc3a70
4 changed files with 9 additions and 136 deletions
|
|
@ -165,17 +165,17 @@ index 100ce4a4aff6..62361b647a75 100644
|
|||
#ifdef CONFIG_EFI
|
||||
/*
|
||||
@@ -1169,6 +1177,8 @@ extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
|
||||
extern bool efi_is_table_address(unsigned long phys_addr);
|
||||
extern void efi_reboot(enum reboot_mode reboot_mode, const char *__unused);
|
||||
|
||||
extern int efi_apply_persistent_mem_reservations(void);
|
||||
extern bool efi_is_table_address(unsigned long phys_addr);
|
||||
+
|
||||
+extern void __init efi_set_secure_boot(enum efi_secureboot_mode mode);
|
||||
#else
|
||||
static inline bool efi_enabled(int feature)
|
||||
{
|
||||
@@ -1192,6 +1202,8 @@ static inline int efi_apply_persistent_mem_reservations(void)
|
||||
@@ -1192,6 +1202,8 @@ static inline bool efi_is_table_address(unsigned long phys_addr)
|
||||
{
|
||||
return 0;
|
||||
return false;
|
||||
}
|
||||
+
|
||||
+static inline void efi_set_secure_boot(enum efi_secureboot_mode mode) {}
|
||||
|
|
|
|||
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 11
|
||||
%define stable_update 12
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
|
@ -637,9 +637,6 @@ Patch507: CVE-2019-3459-and-CVE-2019-3460.patch
|
|||
# rhbz 1663613 patch merged into 5.0-rc#
|
||||
Patch508: 0001-drm-nouveau-register-backlight-on-pascal-and-newer.patch
|
||||
|
||||
# CVE-2019-8912 rhbz 1678685 1678686
|
||||
Patch509: net-crypto-set-sk-to-NULL-when-af_alg_release.patch
|
||||
|
||||
# CVE-2019-8980 rhbz 1679972 1679974
|
||||
Patch510: CVE-2019-8980.patch
|
||||
|
||||
|
|
@ -1914,6 +1911,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Feb 25 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 4.20.12-200
|
||||
- Linux v4.20.12
|
||||
|
||||
* Fri Feb 22 2019 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2019-8980 (rhbz 1679972 1679974)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,127 +0,0 @@
|
|||
From patchwork Fri Feb 15 14:24:15 2019
|
||||
Content-Type: text/plain; charset="utf-8"
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 7bit
|
||||
Subject: [net-next] net: crypto set sk to NULL when af_alg_release.
|
||||
X-Patchwork-Submitter: Mao Wenan <maowenan@huawei.com>
|
||||
X-Patchwork-Id: 1042902
|
||||
X-Patchwork-Delegate: davem@davemloft.net
|
||||
Message-Id: <20190215142415.149153-1-maowenan@huawei.com>
|
||||
To: <netdev@vger.kernel.org>, <davem@davemloft.net>,
|
||||
<xiyou.wangcong@gmail.com>, <linux-kernel@vger.kernel.org>
|
||||
Date: Fri, 15 Feb 2019 22:24:15 +0800
|
||||
From: Mao Wenan <maowenan@huawei.com>
|
||||
List-Id: <netdev.vger.kernel.org>
|
||||
|
||||
KASAN has found use-after-free in sockfs_setattr.
|
||||
The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close()
|
||||
and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
|
||||
that crypto module forgets to set the sk to NULL after af_alg_release.
|
||||
|
||||
KASAN report details as below:
|
||||
BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
|
||||
Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
|
||||
|
||||
CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
|
||||
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
|
||||
1.10.2-1ubuntu1 04/01/2014
|
||||
Call Trace:
|
||||
dump_stack+0xca/0x13e
|
||||
print_address_description+0x79/0x330
|
||||
? vprintk_func+0x5e/0xf0
|
||||
kasan_report+0x18a/0x2e0
|
||||
? sockfs_setattr+0x120/0x150
|
||||
sockfs_setattr+0x120/0x150
|
||||
? sock_register+0x2d0/0x2d0
|
||||
notify_change+0x90c/0xd40
|
||||
? chown_common+0x2ef/0x510
|
||||
chown_common+0x2ef/0x510
|
||||
? chmod_common+0x3b0/0x3b0
|
||||
? __lock_is_held+0xbc/0x160
|
||||
? __sb_start_write+0x13d/0x2b0
|
||||
? __mnt_want_write+0x19a/0x250
|
||||
do_fchownat+0x15c/0x190
|
||||
? __ia32_sys_chmod+0x80/0x80
|
||||
? trace_hardirqs_on_thunk+0x1a/0x1c
|
||||
__x64_sys_fchownat+0xbf/0x160
|
||||
? lockdep_hardirqs_on+0x39a/0x5e0
|
||||
do_syscall_64+0xc8/0x580
|
||||
entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
||||
RIP: 0033:0x462589
|
||||
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
|
||||
f7 48 89 d6 48 89
|
||||
ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
|
||||
48 c7 c1 bc ff ff
|
||||
ff f7 d8 64 89 01 48
|
||||
RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
|
||||
RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
|
||||
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
|
||||
RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
|
||||
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
|
||||
R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
|
||||
|
||||
Allocated by task 4185:
|
||||
kasan_kmalloc+0xa0/0xd0
|
||||
__kmalloc+0x14a/0x350
|
||||
sk_prot_alloc+0xf6/0x290
|
||||
sk_alloc+0x3d/0xc00
|
||||
af_alg_accept+0x9e/0x670
|
||||
hash_accept+0x4a3/0x650
|
||||
__sys_accept4+0x306/0x5c0
|
||||
__x64_sys_accept4+0x98/0x100
|
||||
do_syscall_64+0xc8/0x580
|
||||
entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
||||
|
||||
Freed by task 4184:
|
||||
__kasan_slab_free+0x12e/0x180
|
||||
kfree+0xeb/0x2f0
|
||||
__sk_destruct+0x4e6/0x6a0
|
||||
sk_destruct+0x48/0x70
|
||||
__sk_free+0xa9/0x270
|
||||
sk_free+0x2a/0x30
|
||||
af_alg_release+0x5c/0x70
|
||||
__sock_release+0xd3/0x280
|
||||
sock_close+0x1a/0x20
|
||||
__fput+0x27f/0x7f0
|
||||
task_work_run+0x136/0x1b0
|
||||
exit_to_usermode_loop+0x1a7/0x1d0
|
||||
do_syscall_64+0x461/0x580
|
||||
entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
||||
|
||||
Syzkaller reproducer:
|
||||
r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
|
||||
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
|
||||
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
|
||||
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
|
||||
0xffffffffffffffff, 0x0)
|
||||
r1 = socket$alg(0x26, 0x5, 0x0)
|
||||
getrusage(0x0, 0x0)
|
||||
bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
|
||||
'sha256-ssse3\x00'}, 0x80)
|
||||
r2 = accept(r1, 0x0, 0x0)
|
||||
r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
|
||||
r4 = dup3(r3, r0, 0x0)
|
||||
fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
|
||||
|
||||
Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()")
|
||||
Signed-off-by: Mao Wenan <maowenan@huawei.com>
|
||||
---
|
||||
crypto/af_alg.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
|
||||
index 17eb09d222ff..ec78a04eb136 100644
|
||||
--- a/crypto/af_alg.c
|
||||
+++ b/crypto/af_alg.c
|
||||
@@ -122,8 +122,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private)
|
||||
|
||||
int af_alg_release(struct socket *sock)
|
||||
{
|
||||
- if (sock->sk)
|
||||
+ if (sock->sk) {
|
||||
sock_put(sock->sk);
|
||||
+ sock->sk = NULL;
|
||||
+ }
|
||||
return 0;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(af_alg_release);
|
||||
2
sources
2
sources
|
|
@ -1,2 +1,2 @@
|
|||
SHA512 (linux-4.20.tar.xz) = e282399beea5da539701aed2bc131abd5bc74a970dcd344163e9d295106dfd700180e672ed546ae5e55bc6b9ac95efd5ca1de2039015c1b7a6fc9c01ea6583d4
|
||||
SHA512 (patch-4.20.11.xz) = 48703ca7d1bb15f14ad1367738bbeef09bbe6b627a56c87a5ab985c8a132c7ca58a6456c9427aa0067207b69660dd3e62d37635100f35a04aa74147d2a18fcb3
|
||||
SHA512 (patch-4.20.12.xz) = 55c1f601f4d3b2fbe7ffdbcf17242e7a10c73c16a8ea35be9ebb6070e96766b544466d36dae96853af23e4eaaff56cdde7be26def1f4a8157aac9f802fc71b73
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue