[linux] 13/18: sctp: validate chunk len before actually using it (CVE-2016-9555)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Dec 29 03:44:12 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 461db92ed2f9d853dea300265654c054b0a890b7
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Dec 28 23:32:51 2016 +0000
sctp: validate chunk len before actually using it (CVE-2016-9555)
---
debian/changelog | 1 +
...lidate-chunk-len-before-actually-using-it.patch | 54 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 56 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 6ff83a2..5c8fa34 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -503,6 +503,7 @@ linux (3.16.39-1) UNRELEASED; urgency=medium
* mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (CVE-2016-8650)
* packet: fix race condition in packet_set_ring (CVE-2016-8655)
* [x86] Fix potential infoleak in older kernels (CVE-2016-9178)
+ * sctp: validate chunk len before actually using it (CVE-2016-9555)
[ Julien Cristau ]
* hwrng: Add chaoskey driver, backported from 4.8 (Closes: #839616)
diff --git a/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch b/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
new file mode 100644
index 0000000..ccc8064
--- /dev/null
+++ b/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
@@ -0,0 +1,54 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Tue, 25 Oct 2016 14:27:39 -0200
+Subject: sctp: validate chunk len before actually using it
+Origin: https://git.kernel.org/linus/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9555
+
+Andrey Konovalov reported that KASAN detected that SCTP was using a slab
+beyond the boundaries. It was caused because when handling out of the
+blue packets in function sctp_sf_ootb() it was checking the chunk len
+only after already processing the first chunk, validating only for the
+2nd and subsequent ones.
+
+The fix is to just move the check upwards so it's also validated for the
+1st chunk.
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Reviewed-by: Xin Long <lucien.xin at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.16: moved code is slightly different]
+---
+ net/sctp/sm_statefuns.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3426,6 +3426,12 @@ sctp_disposition_t sctp_sf_ootb(struct n
+ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+ commands);
+
++ /* Report violation if chunk len overflows */
++ ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
++ if (ch_end > skb_tail_pointer(skb))
++ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
++ commands);
++
+ /* Now that we know we at least have a chunk header,
+ * do things that are type appropriate.
+ */
+@@ -3457,12 +3463,6 @@ sctp_disposition_t sctp_sf_ootb(struct n
+ }
+ }
+
+- /* Report violation if chunk len overflows */
+- ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+- if (ch_end > skb_tail_pointer(skb))
+- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+- commands);
+-
+ ch = (sctp_chunkhdr_t *) ch_end;
+ } while (ch_end < skb_tail_pointer(skb));
+
diff --git a/debian/patches/series b/debian/patches/series
index d184f9d..a29954f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -671,6 +671,7 @@ bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch
bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch
bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
+bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list