releases/3.14.63/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 8c7188b23474cca017b3ef354c4a58456f68303a Mon Sep 17 00:00:00 2001
 From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
 Date: Tue, 24 Nov 2015 17:13:21 -0500
 Subject: RDS: fix race condition when sending a message on unbound socket

 From: Quentin Casasnovas <quentin.casasnovas@oracle.com>

 commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.

 Sasha's found a NULL pointer dereference in the RDS connection code when
 sending a message to an apparently unbound socket.  The problem is caused
 by the code checking if the socket is bound in rds_sendmsg(), which checks
 the rs_bound_addr field without taking a lock on the socket.  This opens a
 race where rs_bound_addr is temporarily set but where the transport is not
 in rds_bind(), leading to a NULL pointer dereference when trying to
 dereference 'trans' in __rds_conn_create().

 Vegard wrote a reproducer for this issue, so kindly ask him to share if
 you're interested.

 I cannot reproduce the NULL pointer dereference using Vegard's reproducer
 with this patch, whereas I could without.

 Complete earlier incomplete fix to CVE-2015-6937:

   74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")

 Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
 Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
 Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
 Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  net/rds/connection.c |    6 ------
  net/rds/send.c       |    4 +++-
  2 files changed, 3 insertions(+), 7 deletions(-)

 --- a/net/rds/connection.c
 +++ b/net/rds/connection.c
 @@ -189,12 +189,6 @@ static struct rds_connection *__rds_conn
  		goto out;
  	}

 -	if (trans == NULL) {
 -		kmem_cache_free(rds_conn_slab, conn);
 -		conn = ERR_PTR(-ENODEV);
 -		goto out;
 -	}
 -
  	conn->c_trans = trans;

  	ret = trans->conn_alloc(conn, gfp);
 --- a/net/rds/send.c
 +++ b/net/rds/send.c
 @@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, stru
  		release_sock(sk);
  	}

 -	/* racing with another thread binding seems ok here */
 +	lock_sock(sk);
  	if (daddr == 0 || rs->rs_bound_addr == 0) {
 +		release_sock(sk);
  		ret = -ENOTCONN; /* XXX not a great errno */
  		goto out;
  	}
 +	release_sock(sk);

  	/* size of rm including all sgs */
  	ret = rds_rm_size(msg, payload_len);
	From 8c7188b23474cca017b3ef354c4a58456f68303a Mon Sep 17 00:00:00 2001
	From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
	Date: Tue, 24 Nov 2015 17:13:21 -0500
	Subject: RDS: fix race condition when sending a message on unbound socket

	From: Quentin Casasnovas <quentin.casasnovas@oracle.com>

	commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.

	Sasha's found a NULL pointer dereference in the RDS connection code when
	sending a message to an apparently unbound socket. The problem is caused
	by the code checking if the socket is bound in rds_sendmsg(), which checks
	the rs_bound_addr field without taking a lock on the socket. This opens a
	race where rs_bound_addr is temporarily set but where the transport is not
	in rds_bind(), leading to a NULL pointer dereference when trying to
	dereference 'trans' in __rds_conn_create().

	Vegard wrote a reproducer for this issue, so kindly ask him to share if
	you're interested.

	I cannot reproduce the NULL pointer dereference using Vegard's reproducer
	with this patch, whereas I could without.

	Complete earlier incomplete fix to CVE-2015-6937:

	74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")

	Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
	Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
	Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
	Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	net/rds/connection.c \| 6 ------
	net/rds/send.c \| 4 +++-
	2 files changed, 3 insertions(+), 7 deletions(-)

	--- a/net/rds/connection.c
	+++ b/net/rds/connection.c
	@@ -189,12 +189,6 @@ static struct rds_connection *__rds_conn
	goto out;
	}

	- if (trans == NULL) {
	- kmem_cache_free(rds_conn_slab, conn);
	- conn = ERR_PTR(-ENODEV);
	- goto out;
	- }
	-
	conn->c_trans = trans;

	ret = trans->conn_alloc(conn, gfp);
	--- a/net/rds/send.c
	+++ b/net/rds/send.c
	@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, stru
	release_sock(sk);
	}

	- /* racing with another thread binding seems ok here */
	+ lock_sock(sk);
	if (daddr == 0 \|\| rs->rs_bound_addr == 0) {
	+ release_sock(sk);
	ret = -ENOTCONN; /* XXX not a great errno */
	goto out;
	}
	+ release_sock(sk);

	/* size of rm including all sgs */
	ret = rds_rm_size(msg, payload_len);