ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)
This commit is contained in:
parent
cd87fb7a86
commit
2502943c58
|
@ -418,6 +418,7 @@ linux (4.9.30-1) UNRELEASED; urgency=medium
|
|||
* ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076
|
||||
CVE-2017-9077)
|
||||
* crypto: skcipher - Add missing API setkey checks (CVE-2017-9211)
|
||||
* ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 08 May 2017 21:11:08 +0200
|
||||
|
||||
|
|
67
debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
vendored
Normal file
67
debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
vendored
Normal file
|
@ -0,0 +1,67 @@
|
|||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Fri, 19 May 2017 14:17:48 -0700
|
||||
Subject: ipv6: fix out of bound writes in __ip6_append_data()
|
||||
Origin: https://git.kernel.org/linus/232cd35d0804cc241eb887bb8d4d9b3b9881c64a
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9242
|
||||
|
||||
Andrey Konovalov and idaifish@gmail.com reported crashes caused by
|
||||
one skb shared_info being overwritten from __ip6_append_data()
|
||||
|
||||
Andrey program lead to following state :
|
||||
|
||||
copy -4200 datalen 2000 fraglen 2040
|
||||
maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200
|
||||
|
||||
The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
|
||||
fraggap, 0); is overwriting skb->head and skb_shared_info
|
||||
|
||||
Since we apparently detect this rare condition too late, move the
|
||||
code earlier to even avoid allocating skb and risking crashes.
|
||||
|
||||
Once again, many thanks to Andrey and syzkaller team.
|
||||
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Tested-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Reported-by: <idaifish@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/ip6_output.c | 15 ++++++++-------
|
||||
1 file changed, 8 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
|
||||
index d4a31be..bf8a58a 100644
|
||||
--- a/net/ipv6/ip6_output.c
|
||||
+++ b/net/ipv6/ip6_output.c
|
||||
@@ -1466,6 +1466,11 @@ static int __ip6_append_data(struct sock *sk,
|
||||
*/
|
||||
alloclen += sizeof(struct frag_hdr);
|
||||
|
||||
+ copy = datalen - transhdrlen - fraggap;
|
||||
+ if (copy < 0) {
|
||||
+ err = -EINVAL;
|
||||
+ goto error;
|
||||
+ }
|
||||
if (transhdrlen) {
|
||||
skb = sock_alloc_send_skb(sk,
|
||||
alloclen + hh_len,
|
||||
@@ -1515,13 +1520,9 @@ static int __ip6_append_data(struct sock *sk,
|
||||
data += fraggap;
|
||||
pskb_trim_unique(skb_prev, maxfraglen);
|
||||
}
|
||||
- copy = datalen - transhdrlen - fraggap;
|
||||
-
|
||||
- if (copy < 0) {
|
||||
- err = -EINVAL;
|
||||
- kfree_skb(skb);
|
||||
- goto error;
|
||||
- } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
|
||||
+ if (copy > 0 &&
|
||||
+ getfrag(from, data + transhdrlen, offset,
|
||||
+ copy, fraggap, skb) < 0) {
|
||||
err = -EFAULT;
|
||||
kfree_skb(skb);
|
||||
goto error;
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -110,6 +110,7 @@ bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
|
|||
bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
|
||||
bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
|
||||
bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch
|
||||
bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue