[linux] 01/05: net: add validation for the socket syscall protocol argument (CVE-2015-8543)

Sun Dec 27 22:46:32 UTC 2015

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit b5f09e7f5cf05713e301d1c71cc89225c533ad31
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sun Dec 27 19:23:52 2015 +0000

    net: add validation for the socket syscall protocol argument (CVE-2015-8543)
---
 debian/changelog                                   |   6 +
 ...idation-for-the-socket-syscall-protocol-a.patch | 126 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 133 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index dd393c2..c6aceb1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.2.73-2+deb7u2) UNRELEASED; urgency=medium
+
+  * net: add validation for the socket syscall protocol argument (CVE-2015-8543)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sun, 27 Dec 2015 19:23:43 +0000
+
 linux (3.2.73-2+deb7u1) wheezy-security; urgency=medium
 
   * media: usbvision-video: fix memory leak of alt_max_pkt_size
diff --git a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol-a.patch b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol-a.patch
new file mode 100644
index 0000000..4431f69
--- /dev/null
+++ b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol-a.patch
@@ -0,0 +1,126 @@
+From: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Date: Mon, 14 Dec 2015 22:03:39 +0100
+Subject: net: add validation for the socket syscall protocol argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/79462ad02e861803b3840cc782248c7359451cd9
+
+郭永刚 reported that one could simply crash the kernel as root by
+using a simple program:
+
+	int socket_fd;
+	struct sockaddr_in addr;
+	addr.sin_port = 0;
+	addr.sin_addr.s_addr = INADDR_ANY;
+	addr.sin_family = 10;
+
+	socket_fd = socket(10,3,0x40000000);
+	connect(socket_fd , &addr,16);
+
+AF_INET, AF_INET6 sockets actually only support 8-bit protocol
+identifiers. inet_sock's skc_protocol field thus is sized accordingly,
+thus larger protocol identifiers simply cut off the higher bits and
+store a zero in the protocol fields.
+
+This could lead to e.g. NULL function pointer because as a result of
+the cut off inet_num is zero and we call down to inet_autobind, which
+is NULL for raw sockets.
+
+kernel: Call Trace:
+kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
+kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
+kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
+kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
+kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
+kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
+kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
+
+I found no particular commit which introduced this problem.
+
+CVE: CVE-2015-8543
+Cc: Cong Wang <cwang at twopensource.com>
+Reported-by: 郭永刚 <guoyonggang at 360.cn>
+Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: open-code U8_MAX]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ include/net/sock.h     | 1 +
+ net/ax25/af_ax25.c     | 3 +++
+ net/decnet/af_decnet.c | 3 +++
+ net/ipv4/af_inet.c     | 3 +++
+ net/ipv6/af_inet6.c    | 3 +++
+ net/irda/af_irda.c     | 3 +++
+ 6 files changed, 16 insertions(+)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -302,6 +302,7 @@ struct sock {
+ 				sk_no_check  : 2,
+ 				sk_userlocks : 4,
+ 				sk_protocol  : 8,
++#define SK_PROTOCOL_MAX ((u8)~0U)
+ 				sk_type      : 16;
+ 	kmemcheck_bitfield_end(flags);
+ 	int			sk_wmem_queued;
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -806,6 +806,9 @@ static int ax25_create(struct net *net,
+ 	struct sock *sk;
+ 	ax25_cb *ax25;
+ 
++	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++		return -EINVAL;
++
+ 	if (!net_eq(net, &init_net))
+ 		return -EAFNOSUPPORT;
+ 
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -681,6 +681,9 @@ static int dn_create(struct net *net, st
+ {
+ 	struct sock *sk;
+ 
++	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++		return -EINVAL;
++
+ 	if (!net_eq(net, &init_net))
+ 		return -EAFNOSUPPORT;
+ 
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -279,6 +279,9 @@ static int inet_create(struct net *net,
+ 	int try_loading_module = 0;
+ 	int err;
+ 
++	if (protocol < 0 || protocol >= IPPROTO_MAX)
++		return -EINVAL;
++
+ 	if (unlikely(!inet_ehash_secret))
+ 		if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
+ 			build_ehash_secret();
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -109,6 +109,9 @@ static int inet6_create(struct net *net,
+ 	int try_loading_module = 0;
+ 	int err;
+ 
++	if (protocol < 0 || protocol >= IPPROTO_MAX)
++		return -EINVAL;
++
+ 	if (sock->type != SOCK_RAW &&
+ 	    sock->type != SOCK_DGRAM &&
+ 	    !inet_ehash_secret)
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1106,6 +1106,9 @@ static int irda_create(struct net *net,
+ 
+ 	IRDA_DEBUG(2, "%s()\n", __func__);
+ 
++	if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
++		return -EINVAL;
++
+ 	if (net != &init_net)
+ 		return -EAFNOSUPPORT;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index e71b3b1..1af65a2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1171,3 +1171,4 @@ bugfix/x86/kvm-svm-unconditionally-intercept-db.patch
 bugfix/all/splice-sendfile-at-once-fails-for-big-files.patch
 bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
 debian/af_unix-avoid-abi-changes.patch
+bugfix/all/net-add-validation-for-the-socket-syscall-protocol-a.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

