crypto set sk to NULL when af_alg_release in kernel-net CVE-2019-8912 critical remote

Tracked by Jolla

asked 2019-02-21 09:17:09 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2019-02-21 09:23:10 +0200

lpr gravatar image

In the Linux kernel from 2.6 through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.

CVSS v3 Base Score: 9.8 CRITICAL (attack range: remote)

Patch is available.

File affected: File affected: kernel-adaptation-sbj-3.4.108.20181002.1/crypto/af_alg.c lines 119-127

The Patch should look like:

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 17eb09d222ff..ec78a04eb136 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -119,8 +119,10 @@  static void alg_do_release(const struct af_alg_type *type, void *private)

 int af_alg_release(struct socket *sock)
 {
-   if (sock->sk)
+   if (sock->sk) {
    sock_put(sock->sk);
+       sock->sk = NULL;
+   }
    return 0;
 }
 EXPORT_SYMBOL_GPL(af_alg_release);
edit retag flag offensive close delete