[linux] 09/10: sctp: validate chunk len before actually using it (CVE-2016-9555)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Dec 28 20:44:03 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 29cdcf0817fc75275a4e3e55783531bb05963d15
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Dec 28 17:52:20 2016 +0000
sctp: validate chunk len before actually using it (CVE-2016-9555)
---
debian/changelog | 1 +
...lidate-chunk-len-before-actually-using-it.patch | 54 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 56 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 6e5b5e7..e4f156c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -110,6 +110,7 @@ linux (3.2.84-1) UNRELEASED; urgency=medium
* HID: core: prevent out-of-bound readings (CVE-2016-7915)
* net: ping: check minimum size on ICMP header length (CVE-2016-8399)
* packet: fix race condition in packet_set_ring (CVE-2016-8655)
+ * sctp: validate chunk len before actually using it (CVE-2016-9555)
-- Ben Hutchings <ben at decadent.org.uk> Mon, 28 Nov 2016 18:43:52 +0000
diff --git a/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch b/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
new file mode 100644
index 0000000..f6aae13
--- /dev/null
+++ b/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
@@ -0,0 +1,54 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Tue, 25 Oct 2016 14:27:39 -0200
+Subject: sctp: validate chunk len before actually using it
+Origin: https://git.kernel.org/linus/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9555
+
+Andrey Konovalov reported that KASAN detected that SCTP was using a slab
+beyond the boundaries. It was caused because when handling out of the
+blue packets in function sctp_sf_ootb() it was checking the chunk len
+only after already processing the first chunk, validating only for the
+2nd and subsequent ones.
+
+The fix is to just move the check upwards so it's also validated for the
+1st chunk.
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Reviewed-by: Xin Long <lucien.xin at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: moved code is slightly different]
+---
+ net/sctp/sm_statefuns.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3354,6 +3354,12 @@ sctp_disposition_t sctp_sf_ootb(const st
+ return sctp_sf_violation_chunklen(ep, asoc, type, arg,
+ commands);
+
++ /* Report violation if chunk len overflows */
++ ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
++ if (ch_end > skb_tail_pointer(skb))
++ return sctp_sf_violation_chunklen(ep, asoc, type, arg,
++ commands);
++
+ /* Now that we know we at least have a chunk header,
+ * do things that are type appropriate.
+ */
+@@ -3385,12 +3391,6 @@ sctp_disposition_t sctp_sf_ootb(const st
+ }
+ }
+
+- /* Report violation if chunk len overflows */
+- ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+- if (ch_end > skb_tail_pointer(skb))
+- return sctp_sf_violation_chunklen(ep, asoc, type, arg,
+- commands);
+-
+ ch = (sctp_chunkhdr_t *) ch_end;
+ } while (ch_end < skb_tail_pointer(skb));
+
diff --git a/debian/patches/series b/debian/patches/series
index 9e117a8..933dce4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1115,6 +1115,7 @@ bugfix/all/block-fix-use-after-free-in-sys_ioprio_get.patch
bugfix/all/hid-core-prevent-out-of-bound-readings.patch
bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch
bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
+bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list