From 20b3d9876a503529697b46efd299f224afd23f41 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 1 Jun 2017 07:33:06 +0200 Subject: [PATCH 1/7] tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() (CVE-2017-0605) --- debian/changelog | 4 ++ ...cpy-instead-of-strcpy-in-__trace_fin.patch | 39 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 44 insertions(+) create mode 100644 debian/patches/bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch diff --git a/debian/changelog b/debian/changelog index ebc5af86b..a3169274b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -409,6 +409,10 @@ linux (4.9.30-1) UNRELEASED; urgency=medium * [mips*el/loongson-3] Revert "MIPS: Loongson-3: Select MIPS_L1_CACHE_SHIFT_6" to avoid ABI change + [ Salvatore Bonaccorso ] + * tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() + (CVE-2017-0605) + -- Ben Hutchings Mon, 08 May 2017 21:11:08 +0200 linux (4.9.25-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch b/debian/patches/bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch new file mode 100644 index 000000000..fde4baaf3 --- /dev/null +++ b/debian/patches/bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch @@ -0,0 +1,39 @@ +From: Amey Telawane +Date: Wed, 3 May 2017 15:41:14 +0530 +Subject: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() +Origin: https://git.kernel.org/linus/e09e28671cda63e6308b31798b997639120e2a21 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0605 + +Strcpy is inherently not safe, and strlcpy() should be used instead. +__trace_find_cmdline() uses strcpy() because the comms saved must have a +terminating nul character, but it doesn't hurt to add the extra protection +of using strlcpy() instead of strcpy(). + +Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org + +Signed-off-by: Amey Telawane +[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10 +https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477] +Signed-off-by: Amit Pundir +[ Updated change log and removed the "- 1" from len parameter ] +Signed-off-by: Steven Rostedt (VMware) +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 80eda7d..4ad4420 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1976,7 +1976,7 @@ static void __trace_find_cmdline(int pid, char comm[]) + + map = savedcmd->map_pid_to_cmdline[pid]; + if (map != NO_CMDLINE_MAP) +- strcpy(comm, get_saved_cmdlines(map)); ++ strlcpy(comm, get_saved_cmdlines(map), TASK_COMM_LEN); + else + strcpy(comm, "<...>"); + } +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 05a210d81..d8243e45a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -104,6 +104,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/time-mark-timer_stats-as-broken.patch +bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch From a68b36a505302b0c9e4446d9f3bfc91c16a201a8 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 1 Jun 2017 07:41:53 +0200 Subject: [PATCH 2/7] dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890) --- debian/changelog | 1 + ...p-do-not-inherit-mc_list-from-parent.patch | 42 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 44 insertions(+) create mode 100644 debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch diff --git a/debian/changelog b/debian/changelog index a3169274b..993438341 100644 --- a/debian/changelog +++ b/debian/changelog @@ -412,6 +412,7 @@ linux (4.9.30-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() (CVE-2017-0605) + * dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890) -- Ben Hutchings Mon, 08 May 2017 21:11:08 +0200 diff --git a/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch b/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch new file mode 100644 index 000000000..0498fa9bb --- /dev/null +++ b/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch @@ -0,0 +1,42 @@ +From: Eric Dumazet +Date: Tue, 9 May 2017 06:29:19 -0700 +Subject: dccp/tcp: do not inherit mc_list from parent +Origin: https://git.kernel.org/linus/657831ffc38e30092a2d5f03d385d710eb88b09a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8890 + +syzkaller found a way to trigger double frees from ip_mc_drop_socket() + +It turns out that leave a copy of parent mc_list at accept() time, +which is very bad. + +Very similar to commit 8b485ce69876 ("tcp: do not inherit +fastopen_req from parent") + +Initial report from Pray3r, completed by Andrey one. +Thanks a lot to them ! + +Signed-off-by: Eric Dumazet +Reported-by: Pray3r +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: David S. Miller +--- + net/ipv4/inet_connection_sock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index 5e313c1..1054d33 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -794,6 +794,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk, + /* listeners have SOCK_RCU_FREE, not the children */ + sock_reset_flag(newsk, SOCK_RCU_FREE); + ++ inet_sk(newsk)->mc_list = NULL; ++ + newsk->sk_mark = inet_rsk(req)->ir_mark; + atomic64_set(&newsk->sk_cookie, + atomic64_read(&inet_rsk(req)->ir_cookie)); +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index d8243e45a..30fb4e621 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -105,6 +105,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/time-mark-timer_stats-as-broken.patch bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch +bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch From 35c1e8ae8da3a2112c548febed03937d9806186f Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 1 Jun 2017 08:04:17 +0200 Subject: [PATCH 3/7] ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074) --- debian/changelog | 1 + ...errun-when-parsing-v6-header-options.patch | 232 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 234 insertions(+) create mode 100644 debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch diff --git a/debian/changelog b/debian/changelog index 993438341..ffd50528e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -413,6 +413,7 @@ linux (4.9.30-1) UNRELEASED; urgency=medium * tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() (CVE-2017-0605) * dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890) + * ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074) -- Ben Hutchings Mon, 08 May 2017 21:11:08 +0200 diff --git a/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch b/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch new file mode 100644 index 000000000..ef53e8171 --- /dev/null +++ b/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch @@ -0,0 +1,232 @@ +From: Craig Gallek +Date: Tue, 16 May 2017 14:36:23 -0400 +Subject: ipv6: Prevent overrun when parsing v6 header options +Origin: https://git.kernel.org/linus/2423496af35d94a87156b063ea5cedffc10a70a1 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074 + +The KASAN warning repoted below was discovered with a syzkaller +program. The reproducer is basically: + int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP); + send(s, &one_byte_of_data, 1, MSG_MORE); + send(s, &more_than_mtu_bytes_data, 2000, 0); + +The socket() call sets the nexthdr field of the v6 header to +NEXTHDR_HOP, the first send call primes the payload with a non zero +byte of data, and the second send call triggers the fragmentation path. + +The fragmentation code tries to parse the header options in order +to figure out where to insert the fragment option. Since nexthdr points +to an invalid option, the calculation of the size of the network header +can made to be much larger than the linear section of the skb and data +is read outside of it. + +This fix makes ip6_find_1stfrag return an error if it detects +running out-of-bounds. + +[ 42.361487] ================================================================== +[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730 +[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789 +[ 42.366469] +[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41 +[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014 +[ 42.368824] Call Trace: +[ 42.369183] dump_stack+0xb3/0x10b +[ 42.369664] print_address_description+0x73/0x290 +[ 42.370325] kasan_report+0x252/0x370 +[ 42.370839] ? ip6_fragment+0x11c8/0x3730 +[ 42.371396] check_memory_region+0x13c/0x1a0 +[ 42.371978] memcpy+0x23/0x50 +[ 42.372395] ip6_fragment+0x11c8/0x3730 +[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110 +[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0 +[ 42.374263] ? ip6_forward+0x2e30/0x2e30 +[ 42.374803] ip6_finish_output+0x584/0x990 +[ 42.375350] ip6_output+0x1b7/0x690 +[ 42.375836] ? ip6_finish_output+0x990/0x990 +[ 42.376411] ? ip6_fragment+0x3730/0x3730 +[ 42.376968] ip6_local_out+0x95/0x160 +[ 42.377471] ip6_send_skb+0xa1/0x330 +[ 42.377969] ip6_push_pending_frames+0xb3/0xe0 +[ 42.378589] rawv6_sendmsg+0x2051/0x2db0 +[ 42.379129] ? rawv6_bind+0x8b0/0x8b0 +[ 42.379633] ? _copy_from_user+0x84/0xe0 +[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290 +[ 42.380878] ? ___sys_sendmsg+0x162/0x930 +[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120 +[ 42.382074] ? sock_has_perm+0x1f6/0x290 +[ 42.382614] ? ___sys_sendmsg+0x167/0x930 +[ 42.383173] ? lock_downgrade+0x660/0x660 +[ 42.383727] inet_sendmsg+0x123/0x500 +[ 42.384226] ? inet_sendmsg+0x123/0x500 +[ 42.384748] ? inet_recvmsg+0x540/0x540 +[ 42.385263] sock_sendmsg+0xca/0x110 +[ 42.385758] SYSC_sendto+0x217/0x380 +[ 42.386249] ? SYSC_connect+0x310/0x310 +[ 42.386783] ? __might_fault+0x110/0x1d0 +[ 42.387324] ? lock_downgrade+0x660/0x660 +[ 42.387880] ? __fget_light+0xa1/0x1f0 +[ 42.388403] ? __fdget+0x18/0x20 +[ 42.388851] ? sock_common_setsockopt+0x95/0xd0 +[ 42.389472] ? SyS_setsockopt+0x17f/0x260 +[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe +[ 42.390650] SyS_sendto+0x40/0x50 +[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe +[ 42.391731] RIP: 0033:0x7fbbb711e383 +[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383 +[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003 +[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018 +[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad +[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00 +[ 42.397257] +[ 42.397411] Allocated by task 3789: +[ 42.397702] save_stack_trace+0x16/0x20 +[ 42.398005] save_stack+0x46/0xd0 +[ 42.398267] kasan_kmalloc+0xad/0xe0 +[ 42.398548] kasan_slab_alloc+0x12/0x20 +[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380 +[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0 +[ 42.399654] __alloc_skb+0xf8/0x580 +[ 42.400003] sock_wmalloc+0xab/0xf0 +[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0 +[ 42.400813] ip6_append_data+0x1a8/0x2f0 +[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0 +[ 42.401505] inet_sendmsg+0x123/0x500 +[ 42.401860] sock_sendmsg+0xca/0x110 +[ 42.402209] ___sys_sendmsg+0x7cb/0x930 +[ 42.402582] __sys_sendmsg+0xd9/0x190 +[ 42.402941] SyS_sendmsg+0x2d/0x50 +[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe +[ 42.403718] +[ 42.403871] Freed by task 1794: +[ 42.404146] save_stack_trace+0x16/0x20 +[ 42.404515] save_stack+0x46/0xd0 +[ 42.404827] kasan_slab_free+0x72/0xc0 +[ 42.405167] kfree+0xe8/0x2b0 +[ 42.405462] skb_free_head+0x74/0xb0 +[ 42.405806] skb_release_data+0x30e/0x3a0 +[ 42.406198] skb_release_all+0x4a/0x60 +[ 42.406563] consume_skb+0x113/0x2e0 +[ 42.406910] skb_free_datagram+0x1a/0xe0 +[ 42.407288] netlink_recvmsg+0x60d/0xe40 +[ 42.407667] sock_recvmsg+0xd7/0x110 +[ 42.408022] ___sys_recvmsg+0x25c/0x580 +[ 42.408395] __sys_recvmsg+0xd6/0x190 +[ 42.408753] SyS_recvmsg+0x2d/0x50 +[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe +[ 42.409513] +[ 42.409665] The buggy address belongs to the object at ffff88000969e780 +[ 42.409665] which belongs to the cache kmalloc-512 of size 512 +[ 42.410846] The buggy address is located 24 bytes inside of +[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980) +[ 42.411941] The buggy address belongs to the page: +[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 +[ 42.413298] flags: 0x100000000008100(slab|head) +[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c +[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000 +[ 42.415074] page dumped because: kasan: bad access detected +[ 42.415604] +[ 42.415757] Memory state around the buggy address: +[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 42.418273] ^ +[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 42.419882] ================================================================== + +Reported-by: Andrey Konovalov +Signed-off-by: Craig Gallek +Signed-off-by: David S. Miller +--- + net/ipv6/ip6_offload.c | 2 ++ + net/ipv6/ip6_output.c | 4 ++++ + net/ipv6/output_core.c | 14 ++++++++------ + net/ipv6/udp_offload.c | 2 ++ + 4 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c +index 93e58a5..eab36ab 100644 +--- a/net/ipv6/ip6_offload.c ++++ b/net/ipv6/ip6_offload.c +@@ -117,6 +117,8 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, + + if (udpfrag) { + unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); ++ if (unfrag_ip6hlen < 0) ++ return ERR_PTR(unfrag_ip6hlen); + fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen); + fptr->frag_off = htons(offset); + if (skb->next) +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 58f6288..01deecd 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -598,6 +598,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + u8 *prevhdr, nexthdr = 0; + + hlen = ip6_find_1stfragopt(skb, &prevhdr); ++ if (hlen < 0) { ++ err = hlen; ++ goto fail; ++ } + nexthdr = *prevhdr; + + mtu = ip6_skb_dst_mtu(skb); +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index cd42523..e9065b8 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -79,14 +79,13 @@ EXPORT_SYMBOL(ipv6_select_ident); + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { + u16 offset = sizeof(struct ipv6hdr); +- struct ipv6_opt_hdr *exthdr = +- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1); + unsigned int packet_len = skb_tail_pointer(skb) - + skb_network_header(skb); + int found_rhdr = 0; + *nexthdr = &ipv6_hdr(skb)->nexthdr; + +- while (offset + 1 <= packet_len) { ++ while (offset <= packet_len) { ++ struct ipv6_opt_hdr *exthdr; + + switch (**nexthdr) { + +@@ -107,13 +106,16 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + return offset; + } + +- offset += ipv6_optlen(exthdr); +- *nexthdr = &exthdr->nexthdr; ++ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len) ++ return -EINVAL; ++ + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + + offset); ++ offset += ipv6_optlen(exthdr); ++ *nexthdr = &exthdr->nexthdr; + } + +- return offset; ++ return -EINVAL; + } + EXPORT_SYMBOL(ip6_find_1stfragopt); + +diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c +index ac858c4..b348cff 100644 +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -91,6 +91,8 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, + * bytes to insert fragment header. + */ + unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr); ++ if (unfrag_ip6hlen < 0) ++ return ERR_PTR(unfrag_ip6hlen); + nexthdr = *prevhdr; + *prevhdr = NEXTHDR_FRAGMENT; + unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) + +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 30fb4e621..f6d35dbb6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -106,6 +106,7 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/time-mark-timer_stats-as-broken.patch bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch +bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch From 3253209d02635d65571a4bf4344268c19f1ff1fc Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 1 Jun 2017 08:07:57 +0200 Subject: [PATCH 4/7] sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075) --- debian/changelog | 1 + ...rit-ipv6_-mc-ac-fl-_list-from-parent.patch | 34 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 36 insertions(+) create mode 100644 debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch diff --git a/debian/changelog b/debian/changelog index ffd50528e..2cf1359b1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -414,6 +414,7 @@ linux (4.9.30-1) UNRELEASED; urgency=medium (CVE-2017-0605) * dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890) * ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074) + * sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075) -- Ben Hutchings Mon, 08 May 2017 21:11:08 +0200 diff --git a/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch b/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch new file mode 100644 index 000000000..aa157cc45 --- /dev/null +++ b/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch @@ -0,0 +1,34 @@ +From: Eric Dumazet +Date: Wed, 17 May 2017 07:16:40 -0700 +Subject: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent +Origin: https://git.kernel.org/linus/fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9075 + +SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit +ipv6_mc_list from parent"), otherwise bad things can happen. + +Signed-off-by: Eric Dumazet +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: David S. Miller +--- + net/sctp/ipv6.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index 142b70e..f5b45b8 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -677,6 +677,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk, + newnp = inet6_sk(newsk); + + memcpy(newnp, np, sizeof(struct ipv6_pinfo)); ++ newnp->ipv6_mc_list = NULL; ++ newnp->ipv6_ac_list = NULL; ++ newnp->ipv6_fl_list = NULL; + + rcu_read_lock(); + opt = rcu_dereference(np->opt); +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index f6d35dbb6..91307daeb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -107,6 +107,7 @@ debian/time-mark-timer_stats-as-broken.patch bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch +bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch From 261dbebcde0bcb41ef4433e2b2ec4fd78f229913 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 1 Jun 2017 08:12:00 +0200 Subject: [PATCH 5/7] ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076 CVE-2017-9077) --- debian/changelog | 2 + ...not-inherit-ipv6_mc_list-from-parent.patch | 66 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 69 insertions(+) create mode 100644 debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch diff --git a/debian/changelog b/debian/changelog index 2cf1359b1..501a3c46c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -415,6 +415,8 @@ linux (4.9.30-1) UNRELEASED; urgency=medium * dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890) * ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074) * sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075) + * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076 + CVE-2017-9077) -- Ben Hutchings Mon, 08 May 2017 21:11:08 +0200 diff --git a/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch b/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch new file mode 100644 index 000000000..3553cea2d --- /dev/null +++ b/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch @@ -0,0 +1,66 @@ +From: WANG Cong +Date: Tue, 9 May 2017 16:59:54 -0700 +Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent +Origin: https://git.kernel.org/linus/83eaddab4378db256d00d295bda6ca997cd13a52 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9076 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9077 + +Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent") +we should clear ipv6_mc_list etc. for IPv6 sockets too. + +Cc: Eric Dumazet +Signed-off-by: Cong Wang +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/dccp/ipv6.c | 6 ++++++ + net/ipv6/tcp_ipv6.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index d9b6a4e..b6bbb71 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, + newsk->sk_backlog_rcv = dccp_v4_do_rcv; + newnp->pktoptions = NULL; + newnp->opt = NULL; ++ newnp->ipv6_mc_list = NULL; ++ newnp->ipv6_ac_list = NULL; ++ newnp->ipv6_fl_list = NULL; + newnp->mcast_oif = inet6_iif(skb); + newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; + +@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk, + /* Clone RX bits */ + newnp->rxopt.all = np->rxopt.all; + ++ newnp->ipv6_mc_list = NULL; ++ newnp->ipv6_ac_list = NULL; ++ newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; + newnp->opt = NULL; + newnp->mcast_oif = inet6_iif(skb); +diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c +index aeb9497..df5a9ff 100644 +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + newtp->af_specific = &tcp_sock_ipv6_mapped_specific; + #endif + ++ newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; +@@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff * + First: no IPv4 options. + */ + newinet->inet_opt = NULL; ++ newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; + +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 91307daeb..0ea503a42 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -108,6 +108,7 @@ bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch +bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch From cd87fb7a86f1098194adbe71d70faceec905a52a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 1 Jun 2017 08:28:54 +0200 Subject: [PATCH 6/7] crypto: skcipher - Add missing API setkey checks (CVE-2017-9211) --- debian/changelog | 1 + ...cipher-Add-missing-api-setkey-checks.patch | 78 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 80 insertions(+) create mode 100644 debian/patches/bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch diff --git a/debian/changelog b/debian/changelog index 501a3c46c..cc7b9bc1f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -417,6 +417,7 @@ linux (4.9.30-1) UNRELEASED; urgency=medium * sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075) * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076 CVE-2017-9077) + * crypto: skcipher - Add missing API setkey checks (CVE-2017-9211) -- Ben Hutchings Mon, 08 May 2017 21:11:08 +0200 diff --git a/debian/patches/bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch b/debian/patches/bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch new file mode 100644 index 000000000..348bb5f4f --- /dev/null +++ b/debian/patches/bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch @@ -0,0 +1,78 @@ +From: Herbert Xu +Date: Wed, 10 May 2017 03:48:23 +0800 +Subject: crypto: skcipher - Add missing API setkey checks +Origin: https://git.kernel.org/linus/9933e113c2e87a9f46a40fde8dafbf801dca1ab9 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9211 + +The API setkey checks for key sizes and alignment went AWOL during the +skcipher conversion. This patch restores them. + +Cc: +Fixes: 4e6c3df4d729 ("crypto: skcipher - Add low-level skcipher...") +Reported-by: Baozeng +Signed-off-by: Herbert Xu +--- + crypto/skcipher.c | 40 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 39 insertions(+), 1 deletion(-) + +diff --git a/crypto/skcipher.c b/crypto/skcipher.c +index 014af74..4faa0fd 100644 +--- a/crypto/skcipher.c ++++ b/crypto/skcipher.c +@@ -764,6 +764,44 @@ static int crypto_init_skcipher_ops_ablkcipher(struct crypto_tfm *tfm) + return 0; + } + ++static int skcipher_setkey_unaligned(struct crypto_skcipher *tfm, ++ const u8 *key, unsigned int keylen) ++{ ++ unsigned long alignmask = crypto_skcipher_alignmask(tfm); ++ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm); ++ u8 *buffer, *alignbuffer; ++ unsigned long absize; ++ int ret; ++ ++ absize = keylen + alignmask; ++ buffer = kmalloc(absize, GFP_ATOMIC); ++ if (!buffer) ++ return -ENOMEM; ++ ++ alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); ++ memcpy(alignbuffer, key, keylen); ++ ret = cipher->setkey(tfm, alignbuffer, keylen); ++ kzfree(buffer); ++ return ret; ++} ++ ++static int skcipher_setkey(struct crypto_skcipher *tfm, const u8 *key, ++ unsigned int keylen) ++{ ++ struct skcipher_alg *cipher = crypto_skcipher_alg(tfm); ++ unsigned long alignmask = crypto_skcipher_alignmask(tfm); ++ ++ if (keylen < cipher->min_keysize || keylen > cipher->max_keysize) { ++ crypto_skcipher_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); ++ return -EINVAL; ++ } ++ ++ if ((unsigned long)key & alignmask) ++ return skcipher_setkey_unaligned(tfm, key, keylen); ++ ++ return cipher->setkey(tfm, key, keylen); ++} ++ + static void crypto_skcipher_exit_tfm(struct crypto_tfm *tfm) + { + struct crypto_skcipher *skcipher = __crypto_skcipher_cast(tfm); +@@ -784,7 +822,7 @@ static int crypto_skcipher_init_tfm(struct crypto_tfm *tfm) + tfm->__crt_alg->cra_type == &crypto_givcipher_type) + return crypto_init_skcipher_ops_ablkcipher(tfm); + +- skcipher->setkey = alg->setkey; ++ skcipher->setkey = skcipher_setkey; + skcipher->encrypt = alg->encrypt; + skcipher->decrypt = alg->decrypt; + skcipher->ivsize = alg->ivsize; +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 0ea503a42..3a3e27b0b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -109,6 +109,7 @@ bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch +bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch From 2502943c58ff305a8e09b8f804d8a49b5b57fff9 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 1 Jun 2017 08:36:43 +0200 Subject: [PATCH 7/7] ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242) --- debian/changelog | 1 + ...of-bound-writes-in-__ip6_append_data.patch | 67 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 69 insertions(+) create mode 100644 debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch diff --git a/debian/changelog b/debian/changelog index cc7b9bc1f..9757cfe5b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -418,6 +418,7 @@ linux (4.9.30-1) UNRELEASED; urgency=medium * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076 CVE-2017-9077) * crypto: skcipher - Add missing API setkey checks (CVE-2017-9211) + * ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242) -- Ben Hutchings Mon, 08 May 2017 21:11:08 +0200 diff --git a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch b/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch new file mode 100644 index 000000000..3a2bf7834 --- /dev/null +++ b/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch @@ -0,0 +1,67 @@ +From: Eric Dumazet +Date: Fri, 19 May 2017 14:17:48 -0700 +Subject: ipv6: fix out of bound writes in __ip6_append_data() +Origin: https://git.kernel.org/linus/232cd35d0804cc241eb887bb8d4d9b3b9881c64a +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9242 + +Andrey Konovalov and idaifish@gmail.com reported crashes caused by +one skb shared_info being overwritten from __ip6_append_data() + +Andrey program lead to following state : + +copy -4200 datalen 2000 fraglen 2040 +maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200 + +The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen, +fraggap, 0); is overwriting skb->head and skb_shared_info + +Since we apparently detect this rare condition too late, move the +code earlier to even avoid allocating skb and risking crashes. + +Once again, many thanks to Andrey and syzkaller team. + +Signed-off-by: Eric Dumazet +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Reported-by: +Signed-off-by: David S. Miller +--- + net/ipv6/ip6_output.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index d4a31be..bf8a58a 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1466,6 +1466,11 @@ static int __ip6_append_data(struct sock *sk, + */ + alloclen += sizeof(struct frag_hdr); + ++ copy = datalen - transhdrlen - fraggap; ++ if (copy < 0) { ++ err = -EINVAL; ++ goto error; ++ } + if (transhdrlen) { + skb = sock_alloc_send_skb(sk, + alloclen + hh_len, +@@ -1515,13 +1520,9 @@ static int __ip6_append_data(struct sock *sk, + data += fraggap; + pskb_trim_unique(skb_prev, maxfraglen); + } +- copy = datalen - transhdrlen - fraggap; +- +- if (copy < 0) { +- err = -EINVAL; +- kfree_skb(skb); +- goto error; +- } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) { ++ if (copy > 0 && ++ getfrag(from, data + transhdrlen, offset, ++ copy, fraggap, skb) < 0) { + err = -EFAULT; + kfree_skb(skb); + goto error; +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 3a3e27b0b..cd9253c85 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -110,6 +110,7 @@ bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch +bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch # Fix exported symbol versions bugfix/ia64/revert-ia64-move-exports-to-definitions.patch