[SRU][P-ESM/T/Z][CVE-2017-11176][PATCH] mqueue: fix a use-after-free in sys_mq_notify()

[Juerg Haefliger]

From: Cong Wang <xiyou.wangcong at gmail.com>

The retry logic for netlink_attachskb() inside sys_mq_notify()
is nasty and vulnerable:

1) The sock refcnt is already released when retry is needed
2) The fd is controllable by user-space because we already
   release the file refcnt

so we when retry but the fd has been just closed by user-space
during this small window, we end up calling netlink_detachskb()
on the error path which releases the sock again, later when
the user-space closes this socket a use-after-free could be
triggered.

Setting 'sock' to NULL here should be sufficient to fix it.

CVE-2017-11176

Reported-by: GeneBlue <geneblue.mail at gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
Cc: Andrew Morton <akpm at linux-foundation.org>
Cc: Manfred Spraul <manfred at colorfullife.com>
Cc: stable at kernel.org
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit f991af3daabaecff34684fd51fac80319d1baad1)
Signed-off-by: Juerg Haefliger <juerg.haefliger at canonical.com>
---
 ipc/mqueue.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 5b4293d9819d..081a2d74b0d1 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -1095,8 +1095,10 @@ retry:
 
 			timeo = MAX_SCHEDULE_TIMEOUT;
 			ret = netlink_attachskb(sock, nc, &timeo, NULL);
-			if (ret == 1)
+			if (ret == 1) {
+				sock = NULL;
 				goto retry;
+			}
 			if (ret) {
 				sock = NULL;
 				nc = NULL;
-- 
2.14.1