FPII-2399 : Elevation of privilege vulnerability in kernel networking
subsystem (device specific) CVE-2016-7117 A-30515201
There is a potential use-after-free vulnerability when the underlying recvmsg calls
return some packets and then hit an error, which will make recvmmsg set sock->sk->sk_err.
The fix is designed to prevent the setting of sock->sk->sk_err after an error,
preventing the potential use-after-free vulnerability.
Change-Id: I6fefd964e68d863416a2ee5d75f6b8d1ce5f016b
diff --git a/net/socket.c b/net/socket.c
index e176e19..81b449e 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2311,31 +2311,32 @@
break;
}
-out_put:
- fput_light(sock->file, fput_needed);
-
if (err == 0)
- return datagrams;
+ goto out_put;
- if (datagrams != 0) {
- /*
- * We may return less entries than requested (vlen) if the
- * sock is non block and there aren't enough datagrams...
- */
- if (err != -EAGAIN) {
- /*
+ if (datagrams == 0) {
+ datagrams = err;
+ goto out_put;
+ }
+
+ /*
+ * We may return less entries than requested (vlen) if the
+ * sock is non block and there aren't enough datagrams...
+ */
+ if (err != -EAGAIN) {
+
+ /*
* ... or if recvmsg returns an error after we
* received some datagrams, where we record the
* error to return on the next call or if the
* app asks about it using getsockopt(SO_ERROR).
*/
sock->sk->sk_err = -err;
- }
-
- return datagrams;
}
+out_put:
+ fput_light(sock->file, fput_needed);
- return err;
+ return datagrams;
}
SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,