linux_old1/ipc
Cong Wang f991af3daa mqueue: fix a use-after-free in sys_mq_notify()
The retry logic for netlink_attachskb() inside sys_mq_notify()
is nasty and vulnerable:

1) The sock refcnt is already released when retry is needed
2) The fd is controllable by user-space because we already
   release the file refcnt

so we when retry but the fd has been just closed by user-space
during this small window, we end up calling netlink_detachskb()
on the error path which releases the sock again, later when
the user-space closes this socket a use-after-free could be
triggered.

Setting 'sock' to NULL here should be sufficient to fix it.

Reported-by: GeneBlue <geneblue.mail@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-07-09 14:37:19 -07:00
..
Makefile mqueue: move compat syscalls to native ones 2017-07-04 13:13:49 -04:00
compat.c ipc: resolve shadow warnings 2014-10-14 02:18:23 +02:00
ipc_sysctl.c ipc/msg: increase MSGMNI, remove scaling 2014-12-13 12:42:52 -08:00
mq_sysctl.c ipc: convert use of typedef ctl_table to struct ctl_table 2014-06-06 16:08:16 -07:00
mqueue.c mqueue: fix a use-after-free in sys_mq_notify() 2017-07-09 14:37:19 -07:00
msg.c sched/headers: Move the wake-queue types and interfaces from sched.h into <linux/sched/wake_q.h> 2017-03-02 08:42:42 +01:00
msgutil.c ipc: account for kmem usage on mqueue and msg 2016-10-27 18:43:43 -07:00
namespace.c sched/headers: Prepare to move the task_lock()/unlock() APIs to <linux/sched/task.h> 2017-03-02 08:42:38 +01:00
sem.c sched/headers: Prepare for new header dependencies before moving code to <linux/sched/wake_q.h> 2017-03-02 08:42:26 +01:00
shm.c fs: remove call_fsync helper function 2017-07-05 18:44:23 -04:00
syscall.c get rid of union semop in sys_semctl(2) arguments 2013-03-05 15:14:16 -05:00
util.c mm: introduce kv[mz]alloc helpers 2017-05-08 17:15:12 -07:00
util.h ipc: Remove unused declaration of recompute_msgmni 2017-04-17 21:53:07 -05:00