fix a use-after-free in sys_mq_notify() in kernel-mqueue CVE-2017-11176 critical remote

Tracked by Jolla (In progress)

asked 2017-07-18 17:12:20 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-11-04 09:04:57 +0200

lpr gravatar image

The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. high (attack range: remote) CVSS v3 Base Score: 9.8 Critical

Patch is available

file affected: kernel-adaptation-sbj-3.4.108.20161101.1/ipc/mqueue.c lines 1088-1095

so the whole fix should look like:

@@ -1088,8 +1088,10 @@ retry:

        timeo = MAX_SCHEDULE_TIMEOUT;
        ret = netlink_attachskb(sock, nc, &timeo, NULL);
-           if (ret == 1)
+           if (ret == 1) {
+               sock = NULL;
            goto retry;
+           }
        if (ret) {
            sock = NULL;
            nc = NULL;

The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable:

1) The sock refcnt is already released when retry is needed

2) The fd is controllable by user-space because we already release the file refcnt

so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it.

edit retag flag offensive close delete

Comments

@jovirkku this should have a "tracked by jolla" label

lpr ( 2017-09-19 09:45:09 +0200 )edit

Tracking added.

jovirkku ( 2017-11-09 14:10:16 +0200 )edit