ACK: [Trusty SRU] Fix CVE-2017-6346

Fri Aug 25 14:42:34 UTC 2017

On 24/08/17 16:49, Stefan Bader wrote:
> From 667526d7ccd320b438b81136af53fe2ab0f11013 Mon Sep 17 00:00:00 2001
> From: Eric Dumazet <edumazet at google.com>
> Date: Tue, 14 Feb 2017 09:03:51 -0800
> Subject: [PATCH] packet: fix races in fanout_add()
> 
> Multiple threads can call fanout_add() at the same time.
> 
> We need to grab fanout_mutex earlier to avoid races that could
> lead to one thread freeing po->rollover that was set by another thread.
> 
> Do the same in fanout_release(), for peace of mind, and to help us
> finding lockdep issues earlier.
> 
> Fixes: dc99f600698d ("packet: Add fanout support.")
> Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
> Signed-off-by: Eric Dumazet <edumazet at google.com>
> Cc: Willem de Bruijn <willemb at google.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> 
> CVE-2017-6346
> 
> (backported from commit d199fab63c11998a602205f7ee7ff7c05c97164b)
> [smb: no po->rollover, verified against 3.2.y backport from bwh]
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  Notes:
>  - was fixed in 4.10 and 4.4.52, so only Trusty left to fix
>  - in Trusty there is no po->rollover, so context had to be adjusted
>    to make up for that.
>  - The resulting changes look like the possible race window is much
>    smaller than for later kernels, but on the other hand it cannot
>    hurt to extend the mutex coverage by a bit.
> 
> -Stefan
> 
>  net/packet/af_packet.c | 26 ++++++++++++++------------
>  1 file changed, 14 insertions(+), 12 deletions(-)
> 
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> index 146274a..59a1558 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
> @@ -1315,13 +1315,16 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
>  		return -EINVAL;
>  	}
>  
> +	mutex_lock(&fanout_mutex);
> +
> +	err = -EINVAL;
>  	if (!po->running)
> -		return -EINVAL;
> +		goto out;
>  
> +	err = -EALREADY;
>  	if (po->fanout)
> -		return -EALREADY;
> +		goto out;
>  
> -	mutex_lock(&fanout_mutex);
>  	match = NULL;
>  	list_for_each_entry(f, &fanout_list, list) {
>  		if (f->id == id &&
> @@ -1377,17 +1380,16 @@ static void fanout_release(struct sock *sk)
>  	struct packet_sock *po = pkt_sk(sk);
>  	struct packet_fanout *f;
>  
> -	f = po->fanout;
> -	if (!f)
> -		return;
> -
>  	mutex_lock(&fanout_mutex);
> -	po->fanout = NULL;
> +	f = po->fanout;
> +	if (f) {
> +		po->fanout = NULL;
>  
> -	if (atomic_dec_and_test(&f->sk_ref)) {
> -		list_del(&f->list);
> -		dev_remove_pack(&f->prot_hook);
> -		kfree(f);
> +		if (atomic_dec_and_test(&f->sk_ref)) {
> +			list_del(&f->list);
> +			dev_remove_pack(&f->prot_hook);
> +			kfree(f);
> +		}
>  	}
>  	mutex_unlock(&fanout_mutex);
>  }
> 
Thanks Stefan, I believe this is semantically the same as the upstream
patch with respect to the locking.

Looks good.

Acked-by: Colin Ian King <colin.king at canonical.com>