From 3b32a0551fc8abbcf5a397f13b42fc40cdecc496 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 12 Aug 2017 21:36:28 +0100 Subject: [PATCH] xfrm: policy: check policy direction value (CVE-2017-11600) --- debian/changelog | 1 + ...-policy-check-policy-direction-value.patch | 40 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 42 insertions(+) create mode 100644 debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch diff --git a/debian/changelog b/debian/changelog index af2fa549a..f0af2056d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -29,6 +29,7 @@ linux (4.12.6-1) UNRELEASED; urgency=medium * [i386] perf tools: Fix unwind build (fixes FTBFS) * debian/control: Fix version in dependencies on arch-independent linux-headers-*-common* (Closes: #869511) + * xfrm: policy: check policy direction value (CVE-2017-11600) [ Salvatore Bonaccorso ] * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111) diff --git a/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch b/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch new file mode 100644 index 000000000..42dedccea --- /dev/null +++ b/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch @@ -0,0 +1,40 @@ +From: Vladis Dronov +Date: Wed, 2 Aug 2017 19:50:14 +0200 +Subject: xfrm: policy: check policy direction value +Origin: https://git.kernel.org/linus/7bab09631c2a303f87a7eb7e3d69e888673b9b7e +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-11600 + +The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used +as an array index. This can lead to an out-of-bound access, kernel lockup and +DoS. Add a check for the 'dir' value. + +This fixes CVE-2017-11600. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928 +Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") +Cc: # v2.6.21-rc1 +Reported-by: "bo Zhang" +Signed-off-by: Vladis Dronov +Signed-off-by: Steffen Klassert +--- + net/xfrm/xfrm_policy.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -3301,9 +3301,15 @@ int xfrm_migrate(const struct xfrm_selec + struct xfrm_state *x_new[XFRM_MAX_DEPTH]; + struct xfrm_migrate *mp; + ++ /* Stage 0 - sanity checks */ + if ((err = xfrm_migrate_check(m, num_migrate)) < 0) + goto out; + ++ if (dir >= XFRM_POLICY_MAX) { ++ err = -EINVAL; ++ goto out; ++ } ++ + /* Stage 1 - find policy */ + if ((pol = xfrm_migrate_policy_find(sel, dir, type, net)) == NULL) { + err = -ENOENT; diff --git a/debian/patches/series b/debian/patches/series index 6e7b53657..f8f438078 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -121,6 +121,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch +bugfix/all/xfrm-policy-check-policy-direction-value.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch