Revision history [back]
 | 1 | initial version | posted 2017-07-18 17:12:20 +0200  |
fix a use-after-free in sys_mq_notify() in kernel-mqueue CVE-2017-11176 critical remote
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. high (attack range: remote) CVSS v3 Base Score: 9.8 Critical
File affected: kernel-adaptation-sbj-3.4.108.20161101.1/ipc/mqueue.c lines 1088-1095
| | 2 | No.2 Revision |
fix a use-after-free in sys_mq_notify() in kernel-mqueue CVE-2017-11176 critical remote
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. high (attack range: remote) CVSS v3 Base Score: 9.8 Critical
File affected: kernel-adaptation-sbj-3.4.108.20161101.1/ipc/mqueue.c lines 1088-1095
| | 3 | No.3 Revision |
fix a use-after-free in sys_mq_notify() in kernel-mqueue CVE-2017-11176 critical remote
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. high (attack range: remote) CVSS v3 Base Score: 9.8 Critical
File file affected: kernel-adaptation-sbj-3.4.108.20161101.1/ipc/mqueue.c lines 1088-1095
| | 4 | No.4 Revision |
fix a use-after-free in sys_mq_notify() in kernel-mqueue CVE-2017-11176 critical remote
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact. high (attack range: remote) CVSS v3 Base Score: 9.8 Critical
file affected: kernel-adaptation-sbj-3.4.108.20161101.1/ipc/mqueue.c lines 1088-1095
so the whole fix should look like:
@@ -1088,8 +1088,10 @@ retry:
timeo = MAX_SCHEDULE_TIMEOUT;
ret = netlink_attachskb(sock, nc, &timeo, NULL);
- if (ret == 1)
+ if (ret == 1) {
+ sock = NULL;
goto retry;
+ }
if (ret) {
sock = NULL;
nc = NULL;
The retry logic for netlink_attachskb() inside sys_mq_notify() is nasty and vulnerable:
1) The sock refcnt is already released when retry is needed
2) The fd is controllable by user-space because we already release the file refcnt
so we when retry but the fd has been just closed by user-space during this small window, we end up calling netlink_detachskb() on the error path which releases the sock again, later when the user-space closes this socket a use-after-free could be triggered. Setting 'sock' to NULL here should be sufficient to fix it.