From 18f6ac2854ac8c0df5f615d06380cffcd1826bbe Mon Sep 17 00:00:00 2001 From: Justin M. Forbes Date: Dec 18 2017 14:17:57 +0000 Subject: Fix CVE-2017-17712 (rhbz 1526427 1526933) --- diff --git a/kernel.spec b/kernel.spec index a96b624..09b1b1f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -670,6 +670,9 @@ Patch627: qxl-fixes.patch # rhbz 1462175 Patch628: HID-rmi-Check-that-a-device-is-a-RMI-device-before-c.patch +# CVE-2017-17712 rhbz 1526427 1526933 +Patch629: net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch + # END OF PATCH DEFINITIONS %endif @@ -2226,6 +2229,7 @@ fi %changelog * Mon Dec 18 2017 Justin M. Forbes - 4.14.7-300 - Linux v4.14.7 +- Fix CVE-2017-17712 (rhbz 1526427 1526933) * Thu Dec 14 2017 Jeremy Cline - 4.14.6-300 - Linux v4.14.6 diff --git a/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch new file mode 100644 index 0000000..41ad4af --- /dev/null +++ b/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch @@ -0,0 +1,81 @@ +From patchwork Sun Dec 10 03:50:58 2017 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: net: ipv4: fix for a race condition in raw_sendmsg +X-Patchwork-Submitter: simo.ghannam@gmail.com +X-Patchwork-Id: 846641 +X-Patchwork-Delegate: davem@davemloft.net +Message-Id: <5a2caf2e.4ce61c0a.5017a.575f@mx.google.com> +To: netdev@vger.kernel.org +Cc: Mohamed Ghannam +Date: Sun, 10 Dec 2017 03:50:58 +0000 +From: simo.ghannam@gmail.com +List-Id: + +From: Mohamed Ghannam + +inet->hdrincl is racy, and could lead to uninitialized stack pointer +usage, so its value should be read only once. + +Signed-off-by: Mohamed Ghannam +Reviewed-by: Eric Dumazet +--- + net/ipv4/raw.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 33b70bfd1122..125c1eab3eaa 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + int err; + struct ip_options_data opt_copy; + struct raw_frag_vec rfv; ++ int hdrincl; + + err = -EMSGSIZE; + if (len > 0xFFFF) + goto out; + ++ /* hdrincl should be READ_ONCE(inet->hdrincl) ++ * but READ_ONCE() doesn't work with bit fields ++ */ ++ hdrincl = inet->hdrincl; + /* + * Check the flags. + */ +@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + /* Linux does not mangle headers on raw sockets, + * so that IP options + IP_HDRINCL is non-sense. + */ +- if (inet->hdrincl) ++ if (hdrincl) + goto done; + if (ipc.opt->opt.srr) { + if (!daddr) +@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + + flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, + RT_SCOPE_UNIVERSE, +- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, ++ hdrincl ? IPPROTO_RAW : sk->sk_protocol, + inet_sk_flowi_flags(sk) | +- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), ++ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), + daddr, saddr, 0, 0, sk->sk_uid); + +- if (!inet->hdrincl) { ++ if (!hdrincl) { + rfv.msg = msg; + rfv.hlen = 0; + +@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + goto do_confirm; + back_from_confirm: + +- if (inet->hdrincl) ++ if (hdrincl) + err = raw_send_hdrinc(sk, &fl4, msg, len, + &rt, msg->msg_flags, &ipc.sockc); +