漏洞链接
https://nvd.nist.gov/vuln/detail/CVE-2016-6828
bugzilla链接
https://bugzilla.redhat.com/show_bug.cgi?id=1367091
patch链接
漏洞分析
漏洞成因
该漏洞是发生在kernel中tcp.h文件中的use-after-free漏洞。
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and access freed memory. For regular kernels where memory is not unmapped, this might cause SACK bugs because tcp_highest_sack_seq() is buggy, returning garbage instead of tp->snd_nxt, but with various debug features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
所以可以看出,如果分配一个对象skb,当将数据拷贝到这个新对象中时,如果拷贝出错,则移除这个对象,但是缺少对tp->highest_sack的操作,会留下指向已经free的skb的指针,变为悬挂指针。然后tcp_xmit_retransmit_queue()可以对这个悬挂指针进行解引用,访问已经free的对象。
patch
patch种类
该patch是将指针置为null的情况。