xfrm_user: Apply fixes for CVE-2017-7184
This commit is contained in:
Ben Hutchings
parent
9984b67924
commit
3e739d51e3
|
|
@ -135,6 +135,9 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
|
|||
- futex: Drop hb->lock before enqueueing on the rtmutex
|
||||
- futex: workaround migrate_disable/enable in different context
|
||||
- Revert "kernel/futex: don't deboost too early"
|
||||
* xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
|
||||
(CVE-2017-7184)
|
||||
* xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 27 Mar 2017 21:54:36 +0100
|
||||
|
||||
|
|
|
|||
34
debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
vendored
Normal file
34
debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
vendored
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
From: Andy Whitcroft <apw@canonical.com>
|
||||
Date: Thu, 23 Mar 2017 07:45:44 +0000
|
||||
Subject: [PATCH 2/2] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size
|
||||
harder
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
|
||||
|
||||
Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
|
||||
wrapping issues. To ensure we are correctly ensuring that the two ESN
|
||||
structures are the same size compare both the overall size as reported
|
||||
by xfrm_replay_state_esn_len() and the internal length are the same.
|
||||
|
||||
CVE-2017-7184
|
||||
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
||||
---
|
||||
net/xfrm/xfrm_user.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
|
||||
index 81c4112..87e0c22 100644
|
||||
--- a/net/xfrm/xfrm_user.c
|
||||
+++ b/net/xfrm/xfrm_user.c
|
||||
@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
|
||||
up = nla_data(rp);
|
||||
ulen = xfrm_replay_state_esn_len(up);
|
||||
|
||||
- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
|
||||
+ /* Check the overall length and the internal bitmap length to avoid
|
||||
+ * potential overflow. */
|
||||
+ if (nla_len(rp) < ulen ||
|
||||
+ xfrm_replay_state_esn_len(replay_esn) != ulen ||
|
||||
+ replay_esn->bmp_len != up->bmp_len)
|
||||
return -EINVAL;
|
||||
|
||||
if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From: Andy Whitcroft <apw@canonical.com>
|
||||
Date: Wed, 22 Mar 2017 07:29:31 +0000
|
||||
Subject: [PATCH 1/2] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL
|
||||
replay_window
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
|
||||
|
||||
When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate
|
||||
the user supplied replay_esn to ensure that the size is valid and to ensure
|
||||
that the replay_window size is within the allocated buffer. However later
|
||||
it is possible to update this replay_esn via a XFRM_MSG_NEWAE call.
|
||||
There we again validate the size of the supplied buffer matches the
|
||||
existing state and if so inject the contents. We do not at this point
|
||||
check that the replay_window is within the allocated memory. This leads
|
||||
to out-of-bounds reads and writes triggered by netlink packets. This leads
|
||||
to memory corruption and the potential for priviledge escalation.
|
||||
|
||||
We already attempt to validate the incoming replay information in
|
||||
xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the
|
||||
user is not trying to change the size of the replay state buffer which
|
||||
includes the replay_esn. It however does not check the replay_window
|
||||
remains within that buffer. Add validation of the contained replay_window.
|
||||
|
||||
CVE-2017-7184
|
||||
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
||||
---
|
||||
net/xfrm/xfrm_user.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
|
||||
index 0889209..81c4112 100644
|
||||
--- a/net/xfrm/xfrm_user.c
|
||||
+++ b/net/xfrm/xfrm_user.c
|
||||
@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
|
||||
if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
|
||||
return -EINVAL;
|
||||
|
||||
+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -119,6 +119,8 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
|||
bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
|
||||
debian/time-mark-timer_stats-as-broken.patch
|
||||
bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
|
||||
bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
|
||||
bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue