crypto set sk to NULL when af_alg_release in kernel-net CVE-2019-8912 critical remote
Tracked by Jolla
(Rejected)
asked 2019-02-21 09:17:09 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
In the Linux kernel from 2.6 through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.
CVSS v3 Base Score: 9.8 CRITICAL (attack range: remote)
Patch is available.
File affected: File affected: kernel-adaptation-sbj-3.4.108.20181002.1/crypto/af_alg.c lines 119-127
The Patch should look like:
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 17eb09d222ff..ec78a04eb136 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -119,8 +119,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private)
int af_alg_release(struct socket *sock)
{
- if (sock->sk)
+ if (sock->sk) {
sock_put(sock->sk);
+ sock->sk = NULL;
+ }
return 0;
}
EXPORT_SYMBOL_GPL(af_alg_release);