[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 8818db9a1cf3488707b0a1193af2db56a30a8560

[Arne Fitzenreiter <git@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 7227 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  8818db9a1cf3488707b0a1193af2db56a30a8560 (commit)
       via  173844d3521040abeac360c2871403e51266dcd4 (commit)
      from  186402fbe83fcff9b15bfab81a6d35cebe431126 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8818db9a1cf3488707b0a1193af2db56a30a8560
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Fri Feb 22 21:33:45 2019 +0100

    core128: finish core128
    
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 173844d3521040abeac360c2871403e51266dcd4
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Fri Feb 22 21:20:57 2019 +0100

    kernel: import cve-2019-8912 patch
    
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 lfs/linux                                   |   3 +
 make.sh                                     |   2 +-
 src/patches/linux/linux-cve-2019-8912.patch | 118 ++++++++++++++++++++++++++++
 3 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 src/patches/linux/linux-cve-2019-8912.patch

Difference in files:
diff --git a/lfs/linux b/lfs/linux
index 8092381b6..54296b308 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -146,6 +146,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Fix uevent PHYSDEVDRIVER
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-2.6.32.27_mcs7830-fix-driver-name.patch
 
+	# Fix cve 2019-8912
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-cve-2019-8912.patch
+
 ifeq "$(KCFG)" "-kirkwood"
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14.40-kirkwood-dtb.patch
 endif
diff --git a/make.sh b/make.sh
index 3c08997fb..1fcb19994 100755
--- a/make.sh
+++ b/make.sh
@@ -26,7 +26,7 @@ NAME="IPFire"							# Software name
 SNAME="ipfire"							# Short name
 VERSION="2.21"							# Version number
 CORE="128"							# Core Level (Filename)
-PAKFIRE_CORE="127"						# Core Level (PAKFIRE)
+PAKFIRE_CORE="128"						# Core Level (PAKFIRE)
 GIT_BRANCH=`git rev-parse --abbrev-ref HEAD`			# Git Branch
 SLOGAN="www.ipfire.org"						# Software slogan
 CONFIG_ROOT=/var/ipfire						# Configuration rootdir
diff --git a/src/patches/linux/linux-cve-2019-8912.patch b/src/patches/linux/linux-cve-2019-8912.patch
new file mode 100644
index 000000000..6f63ea17b
--- /dev/null
+++ b/src/patches/linux/linux-cve-2019-8912.patch
@@ -0,0 +1,118 @@
+From 9060cb719e61b685ec0102574e10337fa5f445ea Mon Sep 17 00:00:00 2001
+From: Mao Wenan <maowenan(a)huawei.com>
+Date: Mon, 18 Feb 2019 10:44:44 +0800
+Subject: [PATCH] net: crypto set sk to NULL when af_alg_release.
+
+KASAN has found use-after-free in sockfs_setattr.
+The existed commit 6d8c50dcb029 ("socket: close race condition between sock_close()
+and sockfs_setattr()") is to fix this simillar issue, but it seems to ignore
+that crypto module forgets to set the sk to NULL after af_alg_release.
+
+KASAN report details as below:
+BUG: KASAN: use-after-free in sockfs_setattr+0x120/0x150
+Write of size 4 at addr ffff88837b956128 by task syz-executor0/4186
+
+CPU: 2 PID: 4186 Comm: syz-executor0 Not tainted xxx + #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ dump_stack+0xca/0x13e
+ print_address_description+0x79/0x330
+ ? vprintk_func+0x5e/0xf0
+ kasan_report+0x18a/0x2e0
+ ? sockfs_setattr+0x120/0x150
+ sockfs_setattr+0x120/0x150
+ ? sock_register+0x2d0/0x2d0
+ notify_change+0x90c/0xd40
+ ? chown_common+0x2ef/0x510
+ chown_common+0x2ef/0x510
+ ? chmod_common+0x3b0/0x3b0
+ ? __lock_is_held+0xbc/0x160
+ ? __sb_start_write+0x13d/0x2b0
+ ? __mnt_want_write+0x19a/0x250
+ do_fchownat+0x15c/0x190
+ ? __ia32_sys_chmod+0x80/0x80
+ ? trace_hardirqs_on_thunk+0x1a/0x1c
+ __x64_sys_fchownat+0xbf/0x160
+ ? lockdep_hardirqs_on+0x39a/0x5e0
+ do_syscall_64+0xc8/0x580
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462589
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89
+f7 48 89 d6 48 89
+ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3
+48 c7 c1 bc ff ff
+ff f7 d8 64 89 01 48
+RSP: 002b:00007fb4b2c83c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000104
+RAX: ffffffffffffffda RBX: 000000000072bfa0 RCX: 0000000000462589
+RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000007
+RBP: 0000000000000005 R08: 0000000000001000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb4b2c846bc
+R13: 00000000004bc733 R14: 00000000006f5138 R15: 00000000ffffffff
+
+Allocated by task 4185:
+ kasan_kmalloc+0xa0/0xd0
+ __kmalloc+0x14a/0x350
+ sk_prot_alloc+0xf6/0x290
+ sk_alloc+0x3d/0xc00
+ af_alg_accept+0x9e/0x670
+ hash_accept+0x4a3/0x650
+ __sys_accept4+0x306/0x5c0
+ __x64_sys_accept4+0x98/0x100
+ do_syscall_64+0xc8/0x580
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 4184:
+ __kasan_slab_free+0x12e/0x180
+ kfree+0xeb/0x2f0
+ __sk_destruct+0x4e6/0x6a0
+ sk_destruct+0x48/0x70
+ __sk_free+0xa9/0x270
+ sk_free+0x2a/0x30
+ af_alg_release+0x5c/0x70
+ __sock_release+0xd3/0x280
+ sock_close+0x1a/0x20
+ __fput+0x27f/0x7f0
+ task_work_run+0x136/0x1b0
+ exit_to_usermode_loop+0x1a7/0x1d0
+ do_syscall_64+0x461/0x580
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Syzkaller reproducer:
+r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x0, 0x0, 0x0, 0x0,
+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
+0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0,
+0xffffffffffffffff, 0x0)
+r1 = socket$alg(0x26, 0x5, 0x0)
+getrusage(0x0, 0x0)
+bind(r1, &(0x7f00000001c0)=@alg={0x26, 'hash\x00', 0x0, 0x0,
+'sha256-ssse3\x00'}, 0x80)
+r2 = accept(r1, 0x0, 0x0)
+r3 = accept4$unix(r2, 0x0, 0x0, 0x0)
+r4 = dup3(r3, r0, 0x0)
+fchownat(r4, &(0x7f00000000c0)='\x00', 0x0, 0x0, 0x1000)
+
+Fixes: 6d8c50dcb029 ("socket: close race condition between sock_close() and sockfs_setattr()")
+Signed-off-by: Mao Wenan <maowenan(a)huawei.com>
+Signed-off-by: David S. Miller <davem(a)davemloft.net>
+---
+ crypto/af_alg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index 17eb09d222ff4..ec78a04eb136e 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -122,8 +122,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private)
+ 
+ int af_alg_release(struct socket *sock)
+ {
+-	if (sock->sk)
++	if (sock->sk) {
+ 		sock_put(sock->sk);
++		sock->sk = NULL;
++	}
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(af_alg_release);


hooks/post-receive
--
IPFire 2.x development tree