[linux] 01/02: tipc: check minimum bearer MTU (CVE-2016-8632)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Dec 7 11:36:44 UTC 2016
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 27fc4207c6318c9f4666a00a8f858170df9ac28f
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Wed Dec 7 10:30:04 2016 +0100
tipc: check minimum bearer MTU (CVE-2016-8632)
---
debian/changelog | 3 +
.../bugfix/all/tipc-check-minimum-bearer-MTU.patch | 122 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 126 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index cfd0714..9452a9a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -43,6 +43,9 @@ linux (4.8.12-1) UNRELEASED; urgency=medium
* [armel] dts: marvell: fix number of sata port for linkstation ls-gl
(Closes: #845611)
+ [ Salvatore Bonaccorso ]
+ * tipc: check minimum bearer MTU (CVE-2016-8632)
+
-- Uwe Kleine-König <ukleinek at debian.org> Sun, 04 Dec 2016 21:16:06 +0100
linux (4.8.11-1) unstable; urgency=medium
diff --git a/debian/patches/bugfix/all/tipc-check-minimum-bearer-MTU.patch b/debian/patches/bugfix/all/tipc-check-minimum-bearer-MTU.patch
new file mode 100644
index 0000000..f946eae
--- /dev/null
+++ b/debian/patches/bugfix/all/tipc-check-minimum-bearer-MTU.patch
@@ -0,0 +1,122 @@
+From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= <mkubecek at suse.cz>
+Date: Fri, 2 Dec 2016 09:33:41 +0100
+Subject: tipc: check minimum bearer MTU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/3de81b758853f0b29c61e246679d20b513c4cfec
+
+Qian Zhang (张谦) reported a potential socket buffer overflow in
+tipc_msg_build() which is also known as CVE-2016-8632: due to
+insufficient checks, a buffer overflow can occur if MTU is too short for
+even tipc headers. As anyone can set device MTU in a user/net namespace,
+this issue can be abused by a regular user.
+
+As agreed in the discussion on Ben Hutchings' original patch, we should
+check the MTU at the moment a bearer is attached rather than for each
+processed packet. We also need to repeat the check when bearer MTU is
+adjusted to new device MTU. UDP case also needs a check to avoid
+overflow when calculating bearer MTU.
+
+Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
+Signed-off-by: Michal Kubecek <mkubecek at suse.cz>
+Reported-by: Qian Zhang (张谦) <zhangqian-c at 360.cn>
+Acked-by: Ying Xue <ying.xue at windriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/tipc/bearer.c | 11 +++++++++--
+ net/tipc/bearer.h | 13 +++++++++++++
+ net/tipc/udp_media.c | 5 +++++
+ 3 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
+index 975dbeb..52d7476 100644
+--- a/net/tipc/bearer.c
++++ b/net/tipc/bearer.c
+@@ -421,6 +421,10 @@ int tipc_enable_l2_media(struct net *net, struct tipc_bearer *b,
+ dev = dev_get_by_name(net, driver_name);
+ if (!dev)
+ return -ENODEV;
++ if (tipc_mtu_bad(dev, 0)) {
++ dev_put(dev);
++ return -EINVAL;
++ }
+
+ /* Associate TIPC bearer with L2 bearer */
+ rcu_assign_pointer(b->media_ptr, dev);
+@@ -610,8 +614,6 @@ static int tipc_l2_device_event(struct notifier_block *nb, unsigned long evt,
+ if (!b)
+ return NOTIFY_DONE;
+
+- b->mtu = dev->mtu;
+-
+ switch (evt) {
+ case NETDEV_CHANGE:
+ if (netif_carrier_ok(dev))
+@@ -624,6 +626,11 @@ static int tipc_l2_device_event(struct notifier_block *nb, unsigned long evt,
+ tipc_reset_bearer(net, b);
+ break;
+ case NETDEV_CHANGEMTU:
++ if (tipc_mtu_bad(dev, 0)) {
++ bearer_disable(net, b);
++ break;
++ }
++ b->mtu = dev->mtu;
+ tipc_reset_bearer(net, b);
+ break;
+ case NETDEV_CHANGEADDR:
+diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
+index 78892e2f..278ff7f 100644
+--- a/net/tipc/bearer.h
++++ b/net/tipc/bearer.h
+@@ -39,6 +39,7 @@
+
+ #include "netlink.h"
+ #include "core.h"
++#include "msg.h"
+ #include <net/genetlink.h>
+
+ #define MAX_MEDIA 3
+@@ -59,6 +60,9 @@
+ #define TIPC_MEDIA_TYPE_IB 2
+ #define TIPC_MEDIA_TYPE_UDP 3
+
++/* minimum bearer MTU */
++#define TIPC_MIN_BEARER_MTU (MAX_H_SIZE + INT_H_SIZE)
++
+ /**
+ * struct tipc_media_addr - destination address used by TIPC bearers
+ * @value: address info (format defined by media)
+@@ -215,4 +219,13 @@ void tipc_bearer_xmit(struct net *net, u32 bearer_id,
+ void tipc_bearer_bc_xmit(struct net *net, u32 bearer_id,
+ struct sk_buff_head *xmitq);
+
++/* check if device MTU is too low for tipc headers */
++static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve)
++{
++ if (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve)
++ return false;
++ netdev_warn(dev, "MTU too low for tipc bearer\n");
++ return true;
++}
++
+ #endif /* _TIPC_BEARER_H */
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index 78cab9c..b58dc95 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -697,6 +697,11 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
+ udp_conf.local_ip.s_addr = htonl(INADDR_ANY);
+ udp_conf.use_udp_checksums = false;
+ ub->ifindex = dev->ifindex;
++ if (tipc_mtu_bad(dev, sizeof(struct iphdr) +
++ sizeof(struct udphdr))) {
++ err = -EINVAL;
++ goto err;
++ }
+ b->mtu = dev->mtu - sizeof(struct iphdr)
+ - sizeof(struct udphdr);
+ #if IS_ENABLED(CONFIG_IPV6)
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 021bb64..a27b8e6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -102,6 +102,7 @@ bugfix/all/fs-Give-dentry-to-inode_change_ok-instead-of-inode.patch
bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch
bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch
bugfix/all/mnt-Add-a-per-mount-namespace-limit-on-the-number-of.patch
+bugfix/all/tipc-check-minimum-bearer-MTU.patch
# ABI maintenance
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list