Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2017-03-30 08:56:24 +0200
committerTakashi Iwai <tiwai@suse.de>2017-03-30 08:56:24 +0200
commit077b9af2b01def4b54f1ea68d7d9f9dcbf97bd18 (patch)
tree6ea99c492385e3905fd30b76629973af0ff73493
parent06abe5a51838b973bf06d4ab54e80f7d80051131 (diff)
parentb0245aed25449d0dc616a796ae7625bc507a0c5d (diff)
Merge branch 'SLE12-SP2' into SLE12-SP3rpm-4.4.57-1
Conflicts: series.conf
-rw-r--r--patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-XFRMA_REPLAY_ESN_V.patch49
-rw-r--r--patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch51
-rw-r--r--series.conf2
3 files changed, 102 insertions, 0 deletions
diff --git a/patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-XFRMA_REPLAY_ESN_V.patch b/patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-XFRMA_REPLAY_ESN_V.patch
new file mode 100644
index 0000000000..5c17941a24
--- /dev/null
+++ b/patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-XFRMA_REPLAY_ESN_V.patch
@@ -0,0 +1,49 @@
+From: Andy Whitcroft <apw@canonical.com>
+Date: Wed, 22 Mar 2017 07:29:31 +0000
+Subject: xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
+Patch-mainline: Not yet, embargoed
+References: CVE-2017-7184 bsc#1030573
+
+When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate
+the user supplied replay_esn to ensure that the size is valid and to ensure
+that the replay_window size is within the allocated buffer. However later
+it is possible to update this replay_esn via a XFRM_MSG_NEWAE call.
+There we again validate the size of the supplied buffer matches the
+existing state and if so inject the contents. We do not at this point
+check that the replay_window is within the allocated memory. This leads
+to out-of-bounds reads and writes triggered by netlink packets. This leads
+to memory corruption and the potential for priviledge escalation.
+
+We already attempt to validate the incoming replay information in
+xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the
+user is not trying to change the size of the replay state buffer which
+includes the replay_esn. It however does not check the replay_window
+remains within that buffer. Add validation of the contained replay_window.
+
+CVE-2017-7184
+ZDI-CAN-4586
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
+Reviewed-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 805681a7d356..0e1f833bc77d 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
+ if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+ return -EINVAL;
+
++ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
++ return -EINVAL;
++
+ return 0;
+ }
+
+--
+2.12.0
+
diff --git a/patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch b/patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
new file mode 100644
index 0000000000..a6d2a64d26
--- /dev/null
+++ b/patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
@@ -0,0 +1,51 @@
+From: Andy Whitcroft <apw@canonical.com>
+Date: Thu, 23 Mar 2017 07:45:44 +0000
+Subject: xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
+Patch-mainline: Not yet, embargoed
+References: CVE-2017-7184 bsc#1030573
+
+When validating the length of the incoming ESN attribute we are using
+the contents of the ESN attribute to calculate the minimum size of that
+attribute. We do this before confirming the attribute actually even
+has enough data to hold the structure containing the size. Ensure the
+attribute is at least the minimum size of an ESN without bitmap.
+
+Additionally Kees Cook has pointed out that xfrm_replay_state_esn_len()
+is subject to wrapping issues. To ensure we are correctly ensuring that
+the two ESN structures are the same size compare both the overall size
+as reported by xfrm_replay_state_esn_len() and the internal length are
+the same.
+
+CVE-2017-7184
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ net/xfrm/xfrm_user.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 0e1f833bc77d..7de612deb39b 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -409,10 +409,17 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
+ if (!replay_esn || !rp)
+ return 0;
+
++ if (nla_len(rp) < sizeof(*up))
++ return -EINVAL;
++
+ up = nla_data(rp);
+ ulen = xfrm_replay_state_esn_len(up);
+
+- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
++ /* Check the overall length and the internal bitmap length to avoid
++ * potential overflow. */
++ if (nla_len(rp) < ulen ||
++ xfrm_replay_state_esn_len(replay_esn) != ulen ||
++ replay_esn->bmp_len != up->bmp_len)
+ return -EINVAL;
+
+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
+--
+2.12.0
+
diff --git a/series.conf b/series.conf
index 317ec0840c..cd9393b72a 100644
--- a/series.conf
+++ b/series.conf
@@ -2901,6 +2901,8 @@
patches.fixes/l2tp-fix-racy-socket-lookup-in-l2tp_ip-and-l2tp_ip6-.patch
patches.fixes/l2tp-fix-lookup-for-sockets-not-bound-to-a-device-in.patch
patches.fixes/l2tp-fix-address-test-in-__l2tp_ip6_bind_lookup.patch
+ patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-XFRMA_REPLAY_ESN_V.patch
+ patches.fixes/xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
patches.drivers/net-Generalise-wq_has_sleeper-helper.patch
patches.drivers/net-bonding-Enforce-active-backup-policy-for-IPoIB-b.patch