每日一PATCH——CVE-2016-6828

漏洞链接

https://nvd.nist.gov/vuln/detail/CVE-2016-6828

bugzilla链接

https://bugzilla.redhat.com/show_bug.cgi?id=1367091

patch链接

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bb1fceca22492109be12640d49f5ea5a544c6bb4

漏洞分析

漏洞成因

该漏洞是发生在kernel中tcp.h文件中的use-after-free漏洞。

When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and access freed memory. For regular kernels where memory is not unmapped, this might cause SACK bugs because tcp_highest_sack_seq() is buggy, returning garbage instead of tp->snd_nxt, but with various debug features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.

所以可以看出，如果分配一个对象skb，当将数据拷贝到这个新对象中时，如果拷贝出错，则移除这个对象，但是缺少对tp->highest_sack的操作，会留下指向已经free的skb的指针，变为悬挂指针。然后tcp_xmit_retransmit_queue()可以对这个悬挂指针进行解引用，访问已经free的对象。

patch

patch种类

该patch是将指针置为null的情况。