[Trusty][Zesty][SRU][PATCH 0/1] Fix for CVE-2017-18017

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Trusty][Zesty][SRU][PATCH 0/1] Fix for CVE-2017-18017

Po-Hsu Lin (Sam)
From our CVE tracker, only Trusty and Zesty need this patch
and it can be cherry-picked for both of them.

This patch fixes an use after free issue in xt_TCPMSS.

Eric Dumazet (1):
  netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

 net/netfilter/xt_TCPMSS.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[CVE-2017-18017][Trusty][Zesty][PATCH 1/1] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

Po-Hsu Lin (Sam)
From: Eric Dumazet <[hidden email]>

CVE-2017-18017

Denys provided an awesome KASAN report pointing to an use
after free in xt_TCPMSS

I have provided three patches to fix this issue, either in xt_TCPMSS or
in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
impact.

Signed-off-by: Eric Dumazet <[hidden email]>
Reported-by: Denys Fedoryshchenko <[hidden email]>
Signed-off-by: Pablo Neira Ayuso <[hidden email]>
(cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3f081901)
Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 net/netfilter/xt_TCPMSS.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index e762de5..6531d70 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
  tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
  tcp_hdrlen = tcph->doff * 4;
 
- if (len < tcp_hdrlen)
+ if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
  return -1;
 
  if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
  if (len > tcp_hdrlen)
  return 0;
 
+ /* tcph->doff has 4 bits, do not wrap it to 0 */
+ if (tcp_hdrlen >= 15 * 4)
+ return 0;
+
  /*
  * MSS Option not found ?! add it..
  */
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK/cmnt: [Trusty][Zesty][SRU][PATCH 0/1] Fix for CVE-2017-18017

Khalid Elmously
In reply to this post by Po-Hsu Lin (Sam)
Patch looks good but Zesty has been EOL'd.


On 2018-01-09 11:30:18 , Po-Hsu Lin wrote:

> From our CVE tracker, only Trusty and Zesty need this patch
> and it can be cherry-picked for both of them.
>
> This patch fixes an use after free issue in xt_TCPMSS.
>
> Eric Dumazet (1):
>   netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
>
>  net/netfilter/xt_TCPMSS.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> --

Acked-by: Khalid Elmously  <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK[T]/NACK[Z]: [CVE-2017-18017][Trusty][Zesty][PATCH 1/1] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

Khalid Elmously
In reply to this post by Po-Hsu Lin (Sam)

On 2018-01-09 11:30:19 , Po-Hsu Lin wrote:

> From: Eric Dumazet <[hidden email]>
>
> CVE-2017-18017
>
> Denys provided an awesome KASAN report pointing to an use
> after free in xt_TCPMSS
>
> I have provided three patches to fix this issue, either in xt_TCPMSS or
> in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
> impact.
>
> Signed-off-by: Eric Dumazet <[hidden email]>
> Reported-by: Denys Fedoryshchenko <[hidden email]>
> Signed-off-by: Pablo Neira Ayuso <[hidden email]>
> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3f081901)
> Signed-off-by: Po-Hsu Lin <[hidden email]>
> ---
>  net/netfilter/xt_TCPMSS.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
> index e762de5..6531d70 100644
> --- a/net/netfilter/xt_TCPMSS.c
> +++ b/net/netfilter/xt_TCPMSS.c
> @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
>   tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
>   tcp_hdrlen = tcph->doff * 4;
>  
> - if (len < tcp_hdrlen)
> + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
>   return -1;
>  
>   if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
> @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
>   if (len > tcp_hdrlen)
>   return 0;
>  
> + /* tcph->doff has 4 bits, do not wrap it to 0 */
> + if (tcp_hdrlen >= 15 * 4)
> + return 0;
> +
>   /*
>   * MSS Option not found ?! add it..
>   */

NACK for Zesty because it's EOL.

Ack for Trusty:
Acked-by: Khalid Elmously <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK[T]: [CVE-2017-18017][Trusty][Zesty][PATCH 1/1] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

Kamal Mostafa-2
In reply to this post by Po-Hsu Lin (Sam)

Acked-by: Kamal Mostafa <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED[T]: [CVE-2017-18017][Trusty][Zesty][PATCH 1/1] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

Stefan Bader-2
In reply to this post by Po-Hsu Lin (Sam)
On 09.01.2018 04:30, Po-Hsu Lin wrote:

> From: Eric Dumazet <[hidden email]>
>
> CVE-2017-18017
>
> Denys provided an awesome KASAN report pointing to an use
> after free in xt_TCPMSS
>
> I have provided three patches to fix this issue, either in xt_TCPMSS or
> in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
> impact.
>
> Signed-off-by: Eric Dumazet <[hidden email]>
> Reported-by: Denys Fedoryshchenko <[hidden email]>
> Signed-off-by: Pablo Neira Ayuso <[hidden email]>
> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3f081901)
> Signed-off-by: Po-Hsu Lin <[hidden email]>
> ---
>  net/netfilter/xt_TCPMSS.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
> index e762de5..6531d70 100644
> --- a/net/netfilter/xt_TCPMSS.c
> +++ b/net/netfilter/xt_TCPMSS.c
> @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
>   tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
>   tcp_hdrlen = tcph->doff * 4;
>  
> - if (len < tcp_hdrlen)
> + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
>   return -1;
>  
>   if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
> @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
>   if (len > tcp_hdrlen)
>   return 0;
>  
> + /* tcph->doff has 4 bits, do not wrap it to 0 */
> + if (tcp_hdrlen >= 15 * 4)
> + return 0;
> +
>   /*
>   * MSS Option not found ?! add it..
>   */
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment