From: "Mike Pagano" <mpagano@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/linux-patches:3.4 commit in: /
Date: Fri, 9 Dec 2016 23:49:34 +0000 (UTC) [thread overview]
Message-ID: <1481327364.aacb6d87890588e839500bcfeabb1fde7bf93e35.mpagano@gentoo> (raw)
commit: aacb6d87890588e839500bcfeabb1fde7bf93e35
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
AuthorDate: Fri Dec 9 23:49:24 2016 +0000
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
CommitDate: Fri Dec 9 23:49:24 2016 +0000
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=aacb6d87
Fix race condition in packet_set_ring. CVE-2016-8655. Bug #601926.
0000_README | 8 +--
1520_fix-race-condition-in-packet-set-ring.patch | 62 ++++++++++++++++++++++++
2 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/0000_README b/0000_README
index 6a446df..aa8adef 100644
--- a/0000_README
+++ b/0000_README
@@ -495,14 +495,14 @@ Patch: 1500_XATTR_USER_PREFIX.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=470644
Desc: Support for namespace user.pax.* on tmpfs.
-Patch: 1500_selinux-add-SOCK_DIAG_BY_FAMILY-to-the-list-of-netli.patch
-From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6a96e15096da6e7491107321cfa660c7c2aa119d
-Desc: selinux: add SOCK_DIAG_BY_FAMILY to the list of netlink message types
-
Patch: 1512_af_key-initialize-satype-in-key_notify_policy_flush.patch
From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=85dfb745ee40232876663ae206cba35f24ab2a40
Desc: af_key: initialize satype in key_notify_policy_flush()
+Patch: 1520_fix-race-condition-in-packet-set-ring.patch
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c
+Desc: packet: fix race condition in packet_set_ring. CVE-2016-8655. Bug #601926.
+
Patch: 1700_correct-bnx2-firware-ver-mips.patch
From: https://bugs.gentoo.org/show_bug.cgi?id=424609
Desc: Correct firmware version for bnx2 on mips
diff --git a/1520_fix-race-condition-in-packet-set-ring.patch b/1520_fix-race-condition-in-packet-set-ring.patch
new file mode 100644
index 0000000..d85527f
--- /dev/null
+++ b/1520_fix-race-condition-in-packet-set-ring.patch
@@ -0,0 +1,62 @@
+--- a/net/packet/af_packet.c 2016-12-07 18:10:25.785812861 -0500
++++ b/net/packet/af_packet.c 2016-12-07 18:18:45.597933525 -0500
+@@ -3648,19 +3648,25 @@ packet_setsockopt(struct socket *sock, i
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+ switch (val) {
+ case TPACKET_V1:
+ case TPACKET_V2:
+ case TPACKET_V3:
+- po->tp_version = val;
+- return 0;
++ break;
+ default:
+ return -EINVAL;
+ }
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->tp_version = val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_RESERVE:
+ {
+@@ -4164,6 +4170,7 @@ static int packet_set_ring(struct sock *
+ /* Added to avoid minimal code churn */
+ struct tpacket_req *req = &req_u->req;
+
++ lock_sock(sk);
+ /* Opening a Tx-ring is NOT supported in TPACKET_V3 */
+ if (!closing && tx_ring && (po->tp_version > TPACKET_V2)) {
+ net_warn_ratelimited("Tx-ring is not supported.\n");
+@@ -4245,8 +4252,6 @@ static int packet_set_ring(struct sock *
+ goto out;
+ }
+
+- lock_sock(sk);
+-
+ /* Detach socket from network */
+ spin_lock(&po->bind_lock);
+ was_running = po->running;
+@@ -4294,11 +4299,11 @@ static int packet_set_ring(struct sock *
+ if (!tx_ring)
+ prb_shutdown_retire_blk_timer(po, rb_queue);
+ }
+- release_sock(sk);
+
+ if (pg_vec)
+ free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
++ release_sock(sk);
+ return err;
+ }
+
next reply other threads:[~2016-12-09 23:49 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-09 23:49 Mike Pagano [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-11-01 11:58 [gentoo-commits] proj/linux-patches:3.4 commit in: / Mike Pagano
2016-04-27 19:32 Mike Pagano
2016-03-21 15:06 Mike Pagano
2015-10-23 23:33 Mike Pagano
2015-09-21 15:57 Mike Pagano
2015-09-15 12:56 Mike Pagano
2015-05-13 16:29 Mike Pagano
2015-02-02 23:32 Mike Pagano
2015-01-02 19:13 Mike Pagano
2014-12-20 19:13 Mike Pagano
2014-09-26 17:59 Mike Pagano
2014-08-19 11:41 Mike Pagano
2014-08-14 11:44 ` Mike Pagano
2014-08-19 11:41 Mike Pagano
2014-07-28 16:52 ` Mike Pagano
2014-08-08 17:25 Mike Pagano
2014-08-19 11:41 ` Mike Pagano
2014-08-02 14:43 Mike Pagano
2014-08-19 11:41 ` Mike Pagano
2014-07-18 11:35 Mike Pagano
2014-07-09 23:19 Mike Pagano
2014-07-07 23:51 Mike Pagano
2014-07-01 16:08 Mike Pagano
2014-06-27 17:23 Mike Pagano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1481327364.aacb6d87890588e839500bcfeabb1fde7bf93e35.mpagano@gentoo \
--to=mpagano@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox