fix a use-after-free in sys_mq_notify() in kernel-mqueue CVE-2017-11176 critical remote [released]

Tracked by Jolla (In release)

asked 2017-07-18 17:12:20 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-11-04 09:04:57 +0300

lpr gravatar image

The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. high (attack range: remote) CVSS v3 Base Score: 9.8 Critical

Patch is available

file affected: kernel-adaptation-sbj- lines 1088-1095

so the whole fix should look like:

@@ -1088,8 +1088,10 @@ retry:

        timeo = MAX_SCHEDULE_TIMEOUT;
        ret = netlink_attachskb(sock, nc, &timeo, NULL);
-           if (ret == 1)
+           if (ret == 1) {
+               sock = NULL;
            goto retry;
+           }
        if (ret) {
            sock = NULL;
            nc = NULL;

The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable:

1) The sock refcnt is already released when retry is needed

2) The fd is controllable by user-space because we already release the file refcnt

so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it.

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by lpr
close date 2018-02-15 20:47:00.236033


@jovirkku this should have a "tracked by jolla" label

lpr ( 2017-09-19 09:45:09 +0300 )edit

Tracking added.

jovirkku ( 2017-11-09 14:10:16 +0300 )edit

@lpr released with kernel in sfos2.1.4.12

lpr ( 2018-02-15 20:46:32 +0300 )edit