NACK: [CVE-2017-1000111][SRU][Precise] packet: fix tp_reserve race in packet_set_ring

Po-Hsu Lin po-hsu.lin at canonical.com
Mon Aug 28 10:57:27 UTC 2017 

Thanks for the explanation.
NACK this as per Stefan's comment.

On Mon, Aug 28, 2017 at 6:34 PM, Stefan Bader <stefan.bader at canonical.com> wrote:
> On 28.08.2017 09:23, Po-Hsu Lin wrote:
>> From: Willem de Bruijn <willemb at google.com>
>>
>> CVE-2017-1000111
>
> I think we skipped that, as well as CVE-2017-1000112 because the assessment was
> that this is only exploitable in conjunction with having user namespaces. So a
> user could trigger those things from within a container. As Precise does not
> have user namespace support we should have marked it as not-affected for Precise.
>
> -Stefan
>
>>
>> Updates to tp_reserve can race with reads of the field in
>> packet_set_ring. Avoid this by holding the socket lock during
>> updates in setsockopt PACKET_RESERVE.
>>
>> This bug was discovered by syzkaller.
>>
>> Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
>> Reported-by: Andrey Konovalov <andreyknvl at google.com>
>> Signed-off-by: Willem de Bruijn <willemb at google.com>
>> Signed-off-by: David S. Miller <davem at davemloft.net>
>> (cherry picked from commit c27927e372f0785f3303e8fad94b85945e2c97b7)
>> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
>> ---
>>  net/packet/af_packet.c | 13 +++++++++----
>>  1 file changed, 9 insertions(+), 4 deletions(-)
>>
>> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
>> index 776eaa15..d4e8bf6 100644
>> --- a/net/packet/af_packet.c
>> +++ b/net/packet/af_packet.c
>> @@ -3117,14 +3117,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
>>
>>               if (optlen != sizeof(val))
>>                       return -EINVAL;
>> -             if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
>> -                     return -EBUSY;
>>               if (copy_from_user(&val, optval, sizeof(val)))
>>                       return -EFAULT;
>>               if (val > INT_MAX)
>>                       return -EINVAL;
>> -             po->tp_reserve = val;
>> -             return 0;
>> +             lock_sock(sk);
>> +             if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
>> +                     ret = -EBUSY;
>> +             } else {
>> +                     po->tp_reserve = val;
>> +                     ret = 0;
>> +             }
>> +             release_sock(sk);
>> +             return ret;
>>       }
>>       case PACKET_LOSS:
>>       {
>>
>
>

More information about the kernel-team mailing list