[linux] 08/11: Add packet fixes for CVE-2017-7308 and a similar older issue

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Apr 26 23:25:02 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 46d9a94d0b86b4e4542af16eea903717f582eecf
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Apr 26 23:29:09 2017 +0100

    Add packet fixes for CVE-2017-7308 and a similar older issue
---
 debian/changelog                                   |  2 +
 ...-fix-overflow-in-check-for-priv-area-size.patch | 35 +++++++++++
 ...ket-fix-overflow-in-check-for-tp_frame_nr.patch | 32 ++++++++++
 ...cket-fix-overflow-in-check-for-tp_reserve.patch | 28 +++++++++
 ...cket-handle-too-big-packets-for-packet_v3.patch | 73 ++++++++++++++++++++++
 debian/patches/series                              |  4 ++
 6 files changed, 174 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 9f40281..ca80430 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -185,6 +185,8 @@ linux (3.2.88-1) UNRELEASED; urgency=medium
     (CVE-2017-7261)
   * [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
     (CVE-2017-7294)
+  * packet: handle too big packets for PACKET_V3
+  * net/packet: Fix integer overflow in various range checks (CVE-2017-7308)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 13 Mar 2017 23:12:35 +0000
 
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
new file mode 100644
index 0000000..c17248b
--- /dev/null
+++ b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
@@ -0,0 +1,35 @@
+From: Andrey Konovalov <andreyknvl at google.com>
+Date: Wed, 29 Mar 2017 16:11:20 +0200
+Subject: [1/3] net/packet: fix overflow in check for priv area size
+Origin: https://git.kernel.org/linus/2b6867c2ce76c596676bec7d2d525af525fdc6e2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
+
+Subtracting tp_sizeof_priv from tp_block_size and casting to int
+to check whether one is less then the other doesn't always work
+(both of them are unsigned ints).
+
+Compare them as is instead.
+
+Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
+it can overflow inside BLK_PLUS_PRIV otherwise.
+
+Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3637,8 +3637,8 @@ static int packet_set_ring(struct sock *
+ 		if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
+ 			goto out;
+ 		if (po->tp_version >= TPACKET_V3 &&
+-		    (int)(req->tp_block_size -
+-			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
++		    req->tp_block_size <=
++			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+ 			goto out;
+ 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+ 					po->tp_reserve))
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
new file mode 100644
index 0000000..9e6b4f3
--- /dev/null
+++ b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
@@ -0,0 +1,32 @@
+From: Andrey Konovalov <andreyknvl at google.com>
+Date: Wed, 29 Mar 2017 16:11:21 +0200
+Subject: [2/3] net/packet: fix overflow in check for tp_frame_nr
+Origin: https://git.kernel.org/linus/8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
+
+When calculating rb->frames_per_block * req->tp_block_nr the result
+can overflow.
+
+Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
+
+Since frames_per_block <= tp_block_size, the expression would
+never overflow.
+
+Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3649,6 +3649,8 @@ static int packet_set_ring(struct sock *
+ 		rb->frames_per_block = req->tp_block_size/req->tp_frame_size;
+ 		if (unlikely(rb->frames_per_block <= 0))
+ 			goto out;
++		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
++			goto out;
+ 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
+ 					req->tp_frame_nr))
+ 			goto out;
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
new file mode 100644
index 0000000..981a8d1
--- /dev/null
+++ b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
@@ -0,0 +1,28 @@
+From: Andrey Konovalov <andreyknvl at google.com>
+Date: Wed, 29 Mar 2017 16:11:22 +0200
+Subject: [3/3] net/packet: fix overflow in check for tp_reserve
+Origin: https://git.kernel.org/linus/bcc5364bdcfe131e6379363f089e7b4108d35b70
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
+
+When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
+
+Fix by checking that tp_reserve <= INT_MAX on assign.
+
+Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3136,6 +3136,8 @@ packet_setsockopt(struct socket *sock, i
+ 			return -EBUSY;
+ 		if (copy_from_user(&val, optval, sizeof(val)))
+ 			return -EFAULT;
++		if (val > INT_MAX)
++			return -EINVAL;
+ 		po->tp_reserve = val;
+ 		return 0;
+ 	}
diff --git a/debian/patches/bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch b/debian/patches/bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch
new file mode 100644
index 0000000..f5991e2
--- /dev/null
+++ b/debian/patches/bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch
@@ -0,0 +1,73 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Fri, 15 Aug 2014 09:16:04 -0700
+Subject: packet: handle too big packets for PACKET_V3
+Origin: https://git.kernel.org/linus/dc808110bb62b64a448696ecac3938902c92e1ab
+
+af_packet can currently overwrite kernel memory by out of bound
+accesses, because it assumed a [new] block can always hold one frame.
+
+This is not generally the case, even if most existing tools do it right.
+
+This patch clamps too long frames as API permits, and issue a one time
+error on syslog.
+
+[  394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82
+
+In this example, packet header tp_snaplen was set to 3966,
+and tp_len was set to 5042 (skb->len)
+
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Acked-by: Daniel Borkmann <dborkman at redhat.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: adjust filename]
+---
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -195,6 +195,7 @@ struct tpacket_kbdq_core {
+ 	char		*pkblk_start;
+ 	char		*pkblk_end;
+ 	int		kblk_size;
++	unsigned int	max_frame_len;
+ 	unsigned int	knum_blocks;
+ 	uint64_t	knxt_seq_num;
+ 	char		*prev;
+@@ -616,6 +617,7 @@ static void init_prb_bdqc(struct packet_
+ 	p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov);
+ 	p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv;
+ 
++	p1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv);
+ 	prb_init_ft_ops(p1, req_u);
+ 	prb_setup_retire_blk_timer(po, tx_ring);
+ 	prb_open_block(p1, pbd);
+@@ -1775,6 +1777,18 @@ static int tpacket_rcv(struct sk_buff *s
+ 			if ((int)snaplen < 0)
+ 				snaplen = 0;
+ 		}
++	} else if (unlikely(macoff + snaplen >
++			    GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
++		u32 nval;
++
++		nval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff;
++		pr_err_once("tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\n",
++			    snaplen, nval, macoff);
++		snaplen = nval;
++		if (unlikely((int)snaplen < 0)) {
++			snaplen = 0;
++			macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
++		}
+ 	}
+ 	spin_lock(&sk->sk_receive_queue.lock);
+ 	h.raw = packet_current_rx_frame(po, skb,
+@@ -3622,6 +3636,10 @@ static int packet_set_ring(struct sock *
+ 			goto out;
+ 		if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
+ 			goto out;
++		if (po->tp_version >= TPACKET_V3 &&
++		    (int)(req->tp_block_size -
++			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
++			goto out;
+ 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+ 					po->tp_reserve))
+ 			goto out;
diff --git a/debian/patches/series b/debian/patches/series
index e643977..0f304bf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1116,6 +1116,10 @@ bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.
 bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
 bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
 bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
+bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch
+bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
+bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
+bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list