-
Willem de Bruijn authored
PACKET_RESERVE reserves headroom in memory mapped packet ring frames. The value po->tp_reserve must is verified to be safe in packet_set_ring if (unlikely(req->tp_frame_size < po->tp_hdrlen + po->tp_reserve)) and the setsockopt fails once a ring is set. if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) return -EBUSY; This operation does not take the socket lock. This leads to a race similar to the one with PACKET_VERSION fixed in commit 84ac7260 ("packet: fix race condition in packet_set_ring"). Fix this issue in the same manner: take the socket lock, which as of that patch is held for the duration of packet_set_ring. This bug was discovered with syzkaller. Reported-by:Andrey Konovalov <andreyknvl@google.com> Signed-off-by:
Willem de Bruijn <willemb@google.com> CVE-2017-1000111 (backported from email submission) Signed-off-by:
Stefan Bader <stefan.bader@canonical.com>
ccf7bb73
