[linux] 09/10: sctp: validate chunk len before actually using it (CVE-2016-9555)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Dec 28 20:44:03 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 29cdcf0817fc75275a4e3e55783531bb05963d15
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Dec 28 17:52:20 2016 +0000

    sctp: validate chunk len before actually using it (CVE-2016-9555)
---
 debian/changelog                                   |  1 +
 ...lidate-chunk-len-before-actually-using-it.patch | 54 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 56 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6e5b5e7..e4f156c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -110,6 +110,7 @@ linux (3.2.84-1) UNRELEASED; urgency=medium
   * HID: core: prevent out-of-bound readings (CVE-2016-7915)
   * net: ping: check minimum size on ICMP header length (CVE-2016-8399)
   * packet: fix race condition in packet_set_ring (CVE-2016-8655)
+  * sctp: validate chunk len before actually using it (CVE-2016-9555)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 28 Nov 2016 18:43:52 +0000
 
diff --git a/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch b/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
new file mode 100644
index 0000000..f6aae13
--- /dev/null
+++ b/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
@@ -0,0 +1,54 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Tue, 25 Oct 2016 14:27:39 -0200
+Subject: sctp: validate chunk len before actually using it
+Origin: https://git.kernel.org/linus/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9555
+
+Andrey Konovalov reported that KASAN detected that SCTP was using a slab
+beyond the boundaries. It was caused because when handling out of the
+blue packets in function sctp_sf_ootb() it was checking the chunk len
+only after already processing the first chunk, validating only for the
+2nd and subsequent ones.
+
+The fix is to just move the check upwards so it's also validated for the
+1st chunk.
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Reviewed-by: Xin Long <lucien.xin at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: moved code is slightly different]
+---
+ net/sctp/sm_statefuns.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3354,6 +3354,12 @@ sctp_disposition_t sctp_sf_ootb(const st
+ 			return sctp_sf_violation_chunklen(ep, asoc, type, arg,
+ 						  commands);
+ 
++		/* Report violation if chunk len overflows */
++		ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
++		if (ch_end > skb_tail_pointer(skb))
++			return sctp_sf_violation_chunklen(ep, asoc, type, arg,
++						  commands);
++
+ 		/* Now that we know we at least have a chunk header,
+ 		 * do things that are type appropriate.
+ 		 */
+@@ -3385,12 +3391,6 @@ sctp_disposition_t sctp_sf_ootb(const st
+ 			}
+ 		}
+ 
+-		/* Report violation if chunk len overflows */
+-		ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+-		if (ch_end > skb_tail_pointer(skb))
+-			return sctp_sf_violation_chunklen(ep, asoc, type, arg,
+-						  commands);
+-
+ 		ch = (sctp_chunkhdr_t *) ch_end;
+ 	} while (ch_end < skb_tail_pointer(skb));
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 9e117a8..933dce4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1115,6 +1115,7 @@ bugfix/all/block-fix-use-after-free-in-sys_ioprio_get.patch
 bugfix/all/hid-core-prevent-out-of-bound-readings.patch
 bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch
 bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
+bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list