[linux] 07/18: netfilter: nfnetlink: correctly validate length of batch messages (CVE-2016-7917)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Dec 29 03:44:11 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie
in repository linux.

commit c29ed4608d29af645b98d5e1ac5c1302d8a5c78f
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Dec 28 23:09:23 2016 +0000

    netfilter: nfnetlink: correctly validate length of batch messages (CVE-2016-7917)
---
 debian/changelog                                   |  2 +
 ...fnetlink-correctly-validate-length-of-bat.patch | 71 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 74 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a4f3252..890e1a3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -494,6 +494,8 @@ linux (3.16.39-1) UNRELEASED; urgency=medium
   * tty: Prevent ldisc drivers from re-using stale tty fields (CVE-2015-8964)
   * usb: gadget: f_fs: Fix use-after-free (CVE-2016-7912)
   * HID: core: prevent out-of-bound readings (CVE-2016-7915)
+  * netfilter: nfnetlink: correctly validate length of batch messages
+    (CVE-2016-7917)
 
   [ Julien Cristau ]
   * hwrng: Add chaoskey driver, backported from 4.8 (Closes: #839616)
diff --git a/debian/patches/bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch b/debian/patches/bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch
new file mode 100644
index 0000000..a71eb10
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch
@@ -0,0 +1,71 @@
+From: Phil Turnbull <phil.turnbull at oracle.com>
+Date: Tue, 2 Feb 2016 13:36:45 -0500
+Subject: netfilter: nfnetlink: correctly validate length of batch messages
+Origin: https://git.kernel.org/linus/c58d6c93680f28ac58984af61d0a7ebf4319c241
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-7917
+
+If nlh->nlmsg_len is zero then an infinite loop is triggered because
+'skb_pull(skb, msglen);' pulls zero bytes.
+
+The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
+NLMSG_HDRLEN' which bypasses the length validation and will later
+trigger an out-of-bound read.
+
+If the length validation does fail then the malformed batch message is
+copied back to userspace. However, we cannot do this because the
+nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
+netlink_ack:
+
+    [   41.455421] ==================================================================
+    [   41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
+    [   41.456431] Read of size 4294967280 by task a.out/987
+    [   41.456431] =============================================================================
+    [   41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
+    [   41.456431] -----------------------------------------------------------------------------
+    ...
+    [   41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00  ................
+    [   41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00   ...............
+    [   41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05  ....... at EV."3...
+    [   41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb  ................
+                                            ^^ start of batch nlmsg with
+                                               nlmsg_len=4294967280
+    ...
+    [   41.456431] Memory state around the buggy address:
+    [   41.456431]  ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+    [   41.456431]  ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+    [   41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
+    [   41.456431]                                ^
+    [   41.456431]  ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+    [   41.456431]  ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
+    [   41.456431] ==================================================================
+
+Fix this with better validation of nlh->nlmsg_len and by setting
+NFNL_BATCH_FAILURE if any batch message fails length validation.
+
+CAP_NET_ADMIN is required to trigger the bugs.
+
+Fixes: 9ea2aa8b7dba ("netfilter: nfnetlink: validate nfnetlink header from batch")
+Signed-off-by: Phil Turnbull <phil.turnbull at oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+[bwh: Backported to 3.16:
+ - We don't have an error list so don't call nfnl_err_reset()
+ - Set 'success' variable instead of 'status']
+---
+--- a/net/netfilter/nfnetlink.c
++++ b/net/netfilter/nfnetlink.c
+@@ -273,10 +273,11 @@ replay:
+ 		nlh = nlmsg_hdr(skb);
+ 		err = 0;
+ 
+-		if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
+-		    skb->len < nlh->nlmsg_len) {
+-			err = -EINVAL;
+-			goto ack;
++		if (nlh->nlmsg_len < NLMSG_HDRLEN ||
++		    skb->len < nlh->nlmsg_len ||
++		    nlmsg_len(nlh) < sizeof(struct nfgenmsg)) {
++			success = false;
++			goto done;
+ 		}
+ 
+ 		/* Only requests are handled by the kernel */
diff --git a/debian/patches/series b/debian/patches/series
index e34cbbe..a76b74a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -662,6 +662,7 @@ bugfix/all/perf-fix-race-in-swevent-hash.patch
 bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch
 bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch
 bugfix/all/hid-core-prevent-out-of-bound-readings.patch
+bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list