[linux] 13/18: sctp: validate chunk len before actually using it (CVE-2016-9555)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Dec 29 03:44:12 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie
in repository linux.

commit 461db92ed2f9d853dea300265654c054b0a890b7
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Dec 28 23:32:51 2016 +0000

    sctp: validate chunk len before actually using it (CVE-2016-9555)
---
 debian/changelog                                   |  1 +
 ...lidate-chunk-len-before-actually-using-it.patch | 54 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 56 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6ff83a2..5c8fa34 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -503,6 +503,7 @@ linux (3.16.39-1) UNRELEASED; urgency=medium
   * mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (CVE-2016-8650)
   * packet: fix race condition in packet_set_ring (CVE-2016-8655)
   * [x86] Fix potential infoleak in older kernels (CVE-2016-9178)
+  * sctp: validate chunk len before actually using it (CVE-2016-9555)
 
   [ Julien Cristau ]
   * hwrng: Add chaoskey driver, backported from 4.8 (Closes: #839616)
diff --git a/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch b/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
new file mode 100644
index 0000000..ccc8064
--- /dev/null
+++ b/debian/patches/bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
@@ -0,0 +1,54 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Tue, 25 Oct 2016 14:27:39 -0200
+Subject: sctp: validate chunk len before actually using it
+Origin: https://git.kernel.org/linus/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9555
+
+Andrey Konovalov reported that KASAN detected that SCTP was using a slab
+beyond the boundaries. It was caused because when handling out of the
+blue packets in function sctp_sf_ootb() it was checking the chunk len
+only after already processing the first chunk, validating only for the
+2nd and subsequent ones.
+
+The fix is to just move the check upwards so it's also validated for the
+1st chunk.
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Reviewed-by: Xin Long <lucien.xin at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.16: moved code is slightly different]
+---
+ net/sctp/sm_statefuns.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3426,6 +3426,12 @@ sctp_disposition_t sctp_sf_ootb(struct n
+ 			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+ 						  commands);
+ 
++		/* Report violation if chunk len overflows */
++		ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
++		if (ch_end > skb_tail_pointer(skb))
++			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
++						  commands);
++
+ 		/* Now that we know we at least have a chunk header,
+ 		 * do things that are type appropriate.
+ 		 */
+@@ -3457,12 +3463,6 @@ sctp_disposition_t sctp_sf_ootb(struct n
+ 			}
+ 		}
+ 
+-		/* Report violation if chunk len overflows */
+-		ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+-		if (ch_end > skb_tail_pointer(skb))
+-			return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+-						  commands);
+-
+ 		ch = (sctp_chunkhdr_t *) ch_end;
+ 	} while (ch_end < skb_tail_pointer(skb));
+ 
diff --git a/debian/patches/series b/debian/patches/series
index d184f9d..a29954f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -671,6 +671,7 @@ bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch
 bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch
 bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch
 bugfix/x86/fix-potential-infoleak-in-older-kernels.patch
+bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list