net/packet: Fix integer overflow in various range checks (CVE-2017-7308)
This commit is contained in:
Ben Hutchings
parent
8703214f24
commit
8a7210aeea
|
|
@ -143,6 +143,7 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
|
|||
(CVE-2017-7261)
|
||||
* [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
|
||||
(CVE-2017-7294)
|
||||
* net/packet: Fix integer overflow in various range checks (CVE-2017-7308)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 27 Mar 2017 21:54:36 +0100
|
||||
|
||||
|
|
|
|||
34
debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
vendored
Normal file
34
debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
vendored
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
From: Andrey Konovalov <andreyknvl@google.com>
|
||||
Date: Wed, 29 Mar 2017 16:11:20 +0200
|
||||
Subject: net/packet: fix overflow in check for priv area size
|
||||
Origin: https://patchwork.ozlabs.org/patch/744811/
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
|
||||
|
||||
Subtracting tp_sizeof_priv from tp_block_size and casting to int
|
||||
to check whether one is less then the other doesn't always work
|
||||
(both of them are unsigned ints).
|
||||
|
||||
Compare them as is instead.
|
||||
|
||||
Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
|
||||
it can overflow inside BLK_PLUS_PRIV otherwise.
|
||||
|
||||
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Acked-by: Eric Dumazet <edumazet@google.com>
|
||||
---
|
||||
net/packet/af_packet.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
@@ -4235,8 +4235,8 @@ static int packet_set_ring(struct sock *
|
||||
if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
|
||||
goto out;
|
||||
if (po->tp_version >= TPACKET_V3 &&
|
||||
- (int)(req->tp_block_size -
|
||||
- BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
|
||||
+ req->tp_block_size <=
|
||||
+ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
|
||||
goto out;
|
||||
if (unlikely(req->tp_frame_size < po->tp_hdrlen +
|
||||
po->tp_reserve))
|
||||
31
debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
vendored
Normal file
31
debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
vendored
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
From: Andrey Konovalov <andreyknvl@google.com>
|
||||
Date: Wed, 29 Mar 2017 16:11:21 +0200
|
||||
Subject: net/packet: fix overflow in check for tp_frame_nr
|
||||
Origin: https://patchwork.ozlabs.org/patch/744812/
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
|
||||
|
||||
When calculating rb->frames_per_block * req->tp_block_nr the result
|
||||
can overflow.
|
||||
|
||||
Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
|
||||
|
||||
Since frames_per_block <= tp_block_size, the expression would
|
||||
never overflow.
|
||||
|
||||
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Acked-by: Eric Dumazet <edumazet@google.com>
|
||||
---
|
||||
net/packet/af_packet.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
@@ -4247,6 +4247,8 @@ static int packet_set_ring(struct sock *
|
||||
rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
|
||||
if (unlikely(rb->frames_per_block == 0))
|
||||
goto out;
|
||||
+ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
|
||||
+ goto out;
|
||||
if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
|
||||
req->tp_frame_nr))
|
||||
goto out;
|
||||
27
debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
vendored
Normal file
27
debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
vendored
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
From: Andrey Konovalov <andreyknvl@google.com>
|
||||
Date: Wed, 29 Mar 2017 16:11:22 +0200
|
||||
Subject: net/packet: fix overflow in check for tp_reserve
|
||||
Origin: https://patchwork.ozlabs.org/patch/744813/
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
|
||||
|
||||
When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
|
||||
|
||||
Fix by checking that tp_reserve <= INT_MAX on assign.
|
||||
|
||||
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Acked-by: Eric Dumazet <edumazet@google.com>
|
||||
---
|
||||
net/packet/af_packet.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
@@ -3702,6 +3702,8 @@ packet_setsockopt(struct socket *sock, i
|
||||
return -EBUSY;
|
||||
if (copy_from_user(&val, optval, sizeof(val)))
|
||||
return -EFAULT;
|
||||
+ if (val > INT_MAX)
|
||||
+ return -EINVAL;
|
||||
po->tp_reserve = val;
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -124,6 +124,9 @@ bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
|
|||
bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
|
||||
bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
|
||||
bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue