fix a use-after-free in sys_mq_notify() in kernel-mqueue CVE-2017-11176 critical remote [released]
asked 2017-07-18 17:12:20 +0300
This post is a wiki. Anyone with karma >75 is welcome to improve it.
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. high (attack range: remote) CVSS v3 Base Score: 9.8 Critical
file affected: kernel-adaptation-sbj-3.4.108.20161101.1/ipc/mqueue.c lines 1088-1095
so the whole fix should look like:
@@ -1088,8 +1088,10 @@ retry:
timeo = MAX_SCHEDULE_TIMEOUT;
ret = netlink_attachskb(sock, nc, &timeo, NULL);
- if (ret == 1)
+ if (ret == 1) {
+ sock = NULL;
goto retry;
+ }
if (ret) {
sock = NULL;
nc = NULL;
The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable:
1) The sock refcnt is already released when retry is needed
2) The fd is controllable by user-space because we already release the file refcnt
so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it.
@jovirkku this should have a "tracked by jolla" label
lpr ( 2017-09-19 09:45:09 +0300 )Tracking added.
jovirkku ( 2017-11-09 14:10:16 +0300 )@lpr released with kernel 3.4.108.20171107.1 in sfos2.1.4.12
lpr ( 2018-02-15 20:46:32 +0300 )