Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolai Stange <nstange@suse.de>2019-03-07 10:13:25 +0100
committerNicolai Stange <nstange@suse.de>2019-03-07 10:13:25 +0100
commit4615c6811601d31301f564af47aa5490483f5f63 (patch)
treeb6e1e85c751d16d553f3f7a5f9e664e554a20731
parent6c8c78cd47bb1cdf40f7e3916aad5247b9f30488 (diff)
parentd3bb3ad0a2ff57129c4f89331eba5ae0442f752e (diff)
Merge branch 'bsc#1127757_15.0u0-1' into SLE15_Update_0
-rw-r--r--bsc1127757/livepatch_bsc1127757.c126
-rw-r--r--bsc1127757/livepatch_bsc1127757.h16
-rw-r--r--bsc1127757/patched_funcs.csv2
3 files changed, 144 insertions, 0 deletions
diff --git a/bsc1127757/livepatch_bsc1127757.c b/bsc1127757/livepatch_bsc1127757.c
new file mode 100644
index 0000000..c93573b
--- /dev/null
+++ b/bsc1127757/livepatch_bsc1127757.c
@@ -0,0 +1,126 @@
+/*
+ * livepatch_bsc1127757
+ *
+ * Fix for CVE-2018-12232, bsc#1127757
+ *
+ * Upstream commit:
+ * 6d8c50dcb029 ("socket: close race condition between sock_close() and
+ * sockfs_setattr()")
+ *
+ * SLE12(-SP1) commit:
+ * not affected
+ *
+ * SLE12-SP2 commit:
+ * not affected
+ *
+ * SLE12-SP3 commit:
+ * not affected
+ *
+ * SLE12-SP4 commit:
+ * e4246e08badd0ca8d89298ce8fd549a71bc7b3aa
+ *
+ * SLE15 commit:
+ * e4246e08badd0ca8d89298ce8fd549a71bc7b3aa
+ *
+ *
+ * Copyright (c) 2019 SUSE
+ * Author: Nicolai Stange <nstange@suse.de>
+ *
+ * Based on the original Linux kernel code. Other copyrights apply.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/fs.h>
+#include <net/sock.h>
+#include <linux/module.h>
+#include <linux/net.h>
+#include "livepatch_bsc1127757.h"
+#include "kallsyms_relocs.h"
+
+
+static int __percpu (*klp_sockets_in_use);
+
+static struct klp_kallsyms_reloc klp_funcs[] = {
+ { "sockets_in_use", (void *)&klp_sockets_in_use },
+};
+
+
+
+/* patched */
+int klp_sockfs_setattr(struct dentry *dentry, struct iattr *iattr)
+{
+ int err = simple_setattr(dentry, iattr);
+
+ if (!err && (iattr->ia_valid & ATTR_UID)) {
+ struct socket *sock = SOCKET_I(d_inode(dentry));
+
+ /*
+ * Fix CVE-2018-12232
+ * -1 line, +4 lines
+ */
+ if (sock->sk)
+ sock->sk->sk_uid = iattr->ia_uid;
+ else
+ err = -ENOENT;
+ }
+
+ return err;
+}
+
+/* new */
+static void klp__sock_release(struct socket *sock, struct inode *inode)
+{
+ if (sock->ops) {
+ struct module *owner = sock->ops->owner;
+
+ if (inode)
+ inode_lock(inode);
+ sock->ops->release(sock);
+ if (inode)
+ inode_unlock(inode);
+ sock->ops = NULL;
+ module_put(owner);
+ }
+
+ if (rcu_dereference_protected(sock->wq, 1)->fasync_list)
+ pr_err("%s: fasync list not empty!\n", __func__);
+
+ this_cpu_sub((*klp_sockets_in_use), 1);
+ if (!sock->file) {
+ iput(SOCK_INODE(sock));
+ return;
+ }
+ sock->file = NULL;
+}
+
+/* patched */
+int klp_sock_close(struct inode *inode, struct file *filp)
+{
+ /*
+ * Fix CVE-2018-12232
+ * -1 line, +1 line
+ */
+ klp__sock_release(SOCKET_I(inode), inode);
+ return 0;
+}
+
+
+
+int livepatch_bsc1127757_init(void)
+{
+ return __klp_resolve_kallsyms_relocs(klp_funcs, ARRAY_SIZE(klp_funcs));
+}
diff --git a/bsc1127757/livepatch_bsc1127757.h b/bsc1127757/livepatch_bsc1127757.h
new file mode 100644
index 0000000..47c0a89
--- /dev/null
+++ b/bsc1127757/livepatch_bsc1127757.h
@@ -0,0 +1,16 @@
+#ifndef _LIVEPATCH_BSC1127757_H
+#define _LIVEPATCH_BSC1127757_H
+
+int livepatch_bsc1127757_init(void);
+static inline void livepatch_bsc1127757_cleanup(void) {}
+
+
+struct dentry;
+struct iattr;
+struct inode;
+struct file;
+
+int klp_sockfs_setattr(struct dentry *dentry, struct iattr *iattr);
+int klp_sock_close(struct inode *inode, struct file *filp);
+
+#endif /* _LIVEPATCH_BSC1127757_H */
diff --git a/bsc1127757/patched_funcs.csv b/bsc1127757/patched_funcs.csv
new file mode 100644
index 0000000..47ad686
--- /dev/null
+++ b/bsc1127757/patched_funcs.csv
@@ -0,0 +1,2 @@
+vmlinux sockfs_setattr klp_sockfs_setattr
+vmlinux sock_close klp_sock_close