[SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-7542

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-7542

Kleber Souza
Clean cherry-pick for Trusty and Zesty, the other supported series are
either not affected or have already been fixed.

Sabrina Dubroca (1):
  ipv6: avoid overflow of offset in ip6_find_1stfragopt

 net/ipv6/output_core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[SRU][Trusty][Zesty][PATCH 1/1] ipv6: avoid overflow of offset in ip6_find_1stfragopt

Kleber Souza
From: Sabrina Dubroca <[hidden email]>

In some cases, offset can overflow and can cause an infinite loop in
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.

This problem has been here since before the beginning of git history.

Signed-off-by: Sabrina Dubroca <[hidden email]>
Acked-by: Hannes Frederic Sowa <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>

CVE-2017-7542
(cherry picked from commit 6399f1fae4ec29fab5ec76070435555e256ca3a6)
Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
---
 net/ipv6/output_core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index e9065b8d3af8..abb2c307fbe8 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
 
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 {
- u16 offset = sizeof(struct ipv6hdr);
+ unsigned int offset = sizeof(struct ipv6hdr);
  unsigned int packet_len = skb_tail_pointer(skb) -
  skb_network_header(skb);
  int found_rhdr = 0;
@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
  while (offset <= packet_len) {
  struct ipv6_opt_hdr *exthdr;
+ unsigned int len;
 
  switch (**nexthdr) {
 
@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
  exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
  offset);
- offset += ipv6_optlen(exthdr);
+ len = ipv6_optlen(exthdr);
+ if (len + offset >= IPV6_MAXPLEN)
+ return -EINVAL;
+ offset += len;
  *nexthdr = &exthdr->nexthdr;
  }
 
--
2.14.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Trusty][Zesty][PATCH 1/1] ipv6: avoid overflow of offset in ip6_find_1stfragopt

Colin King
On 30/11/17 13:13, Kleber Sacilotto de Souza wrote:

> From: Sabrina Dubroca <[hidden email]>
>
> In some cases, offset can overflow and can cause an infinite loop in
> ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
> cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
>
> This problem has been here since before the beginning of git history.
>
> Signed-off-by: Sabrina Dubroca <[hidden email]>
> Acked-by: Hannes Frederic Sowa <[hidden email]>
> Signed-off-by: David S. Miller <[hidden email]>
>
> CVE-2017-7542
> (cherry picked from commit 6399f1fae4ec29fab5ec76070435555e256ca3a6)
> Signed-off-by: Kleber Sacilotto de Souza <[hidden email]>
> ---
>  net/ipv6/output_core.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
> index e9065b8d3af8..abb2c307fbe8 100644
> --- a/net/ipv6/output_core.c
> +++ b/net/ipv6/output_core.c
> @@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
>  
>  int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
>  {
> - u16 offset = sizeof(struct ipv6hdr);
> + unsigned int offset = sizeof(struct ipv6hdr);
>   unsigned int packet_len = skb_tail_pointer(skb) -
>   skb_network_header(skb);
>   int found_rhdr = 0;
> @@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
>  
>   while (offset <= packet_len) {
>   struct ipv6_opt_hdr *exthdr;
> + unsigned int len;
>  
>   switch (**nexthdr) {
>  
> @@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
>  
>   exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
>   offset);
> - offset += ipv6_optlen(exthdr);
> + len = ipv6_optlen(exthdr);
> + if (len + offset >= IPV6_MAXPLEN)
> + return -EINVAL;
> + offset += len;
>   *nexthdr = &exthdr->nexthdr;
>   }
>  
>
Clean upstream cherry pick, looks totally fine to me.

Acked-by: Colin Ian King <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

NACK: [SRU][Trusty][Zesty][PATCH 0/1] Fix for CVE-2017-7542

Thadeu Lima de Souza Cascardo-3
In reply to this post by Kleber Souza
On Thu, Nov 30, 2017 at 02:13:48PM +0100, Kleber Sacilotto de Souza wrote:
> Clean cherry-pick for Trusty and Zesty, the other supported series are
> either not affected or have already been fixed.
>
> Sabrina Dubroca (1):
>   ipv6: avoid overflow of offset in ip6_find_1stfragopt
>

You also need to pick 3de33e1ba0506723ab25734e098cf280ecc34756 ("ipv6:
accept 64k - 1 packet length in ip6_find_1stfragopt()").

Cascardo.

>  net/ipv6/output_core.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> --
> 2.14.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team