diff --git a/debian/changelog b/debian/changelog index d58e39789..1011d708a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -49,6 +49,7 @@ linux (4.8.12-1) UNRELEASED; urgency=medium * net: avoid signed overflows for SO_{SND|RCV}BUFFORCE (CVE-2016-9793) * Add ABI reference for 4.8.0-2 * Ignore ABI changes in KVM + * net: ping: check minimum size on ICMP header length (CVE-2016-8399) [ Ben Hutchings ] * [amd64] Re-enable LEGACY_VSYSCALL_EMULATE instead of LEGACY_VSYSCALL_NONE. diff --git a/debian/patches/bugfix/all/net-ping-check-minimum-size-on-ICMP-header-length.patch b/debian/patches/bugfix/all/net-ping-check-minimum-size-on-ICMP-header-length.patch new file mode 100644 index 000000000..a57cac3ee --- /dev/null +++ b/debian/patches/bugfix/all/net-ping-check-minimum-size-on-ICMP-header-length.patch @@ -0,0 +1,71 @@ +From: Kees Cook +Date: Mon, 5 Dec 2016 10:34:38 -0800 +Subject: net: ping: check minimum size on ICMP header length +Origin: https://git.kernel.org/linus/0eab121ef8750a5c8637d51534d5e9143fb0633f + +Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there +was no check that the iovec contained enough bytes for an ICMP header, +and the read loop would walk across neighboring stack contents. Since the +iov_iter conversion, bad arguments are noticed, but the returned error is +EFAULT. Returning EINVAL is a clearer error and also solves the problem +prior to v3.19. + +This was found using trinity with KASAN on v3.18: + +BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0 +Read of size 8 by task trinity-c2/9623 +page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0 +flags: 0x0() +page dumped because: kasan: bad access detected +CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15 +Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT) +Call trace: +[] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90 +[] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171 +[< inline >] __dump_stack lib/dump_stack.c:15 +[] dump_stack+0x7c/0xd0 lib/dump_stack.c:50 +[< inline >] print_address_description mm/kasan/report.c:147 +[< inline >] kasan_report_error mm/kasan/report.c:236 +[] kasan_report+0x380/0x4b8 mm/kasan/report.c:259 +[< inline >] check_memory_region mm/kasan/kasan.c:264 +[] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507 +[] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15 +[< inline >] memcpy_from_msg include/linux/skbuff.h:2667 +[] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674 +[] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714 +[] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749 +[< inline >] __sock_sendmsg_nosec net/socket.c:624 +[< inline >] __sock_sendmsg net/socket.c:632 +[] sock_sendmsg+0x124/0x164 net/socket.c:643 +[< inline >] SYSC_sendto net/socket.c:1797 +[] SyS_sendto+0x178/0x1d8 net/socket.c:1761 + +CVE-2016-8399 + +Reported-by: Qidan He +Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") +Cc: stable@vger.kernel.org +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +--- + net/ipv4/ping.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 205e200..96b8e2b 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -657,6 +657,10 @@ int ping_common_sendmsg(int family, struct msghdr *msg, size_t len, + if (len > 0xFFFF) + return -EMSGSIZE; + ++ /* Must have at least a full ICMP header. */ ++ if (len < icmph_len) ++ return -EINVAL; ++ + /* + * Check the flags. + */ +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 823640260..840611b9f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -105,6 +105,7 @@ bugfix/all/mnt-Add-a-per-mount-namespace-limit-on-the-number-of.patch bugfix/all/tipc-check-minimum-bearer-MTU.patch bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch bugfix/all/net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch +bugfix/all/net-ping-check-minimum-size-on-ICMP-header-length.patch # ABI maintenance