[linux] 02/03: ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)

Thu Aug 17 20:34:00 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 138ac8296b900cac0e58606bfdb6f76275db0088
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Aug 17 21:31:13 2017 +0100

    ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
---
 debian/changelog                                   |  3 ++
 ...overflow-of-offset-in-ip6_find_1stfragopt.patch | 50 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 54 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index eeccfb5..83bffcf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -91,6 +91,9 @@ linux (3.2.91-1) UNRELEASED; urgency=medium
     - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
       (CVE-2017-1000380)
 
+  [ Ben Hutchings ]
+  * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
+
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 03 Jul 2017 17:17:55 +0100
 
 linux (3.2.89-2) wheezy-security; urgency=high
diff --git a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
new file mode 100644
index 0000000..db8854e
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
@@ -0,0 +1,50 @@
+From: Sabrina Dubroca <sd at queasysnail.net>
+Date: Wed, 19 Jul 2017 22:28:55 +0200
+Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt
+Origin: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7542
+
+In some cases, offset can overflow and can cause an infinite loop in
+ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
+cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
+
+This problem has been here since before the beginning of git history.
+
+Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
+Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: adjust filename, context]
+---
+ net/ipv6/ip6_output.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -561,13 +561,14 @@ static void ip6_copy_metadata(struct sk_
+ 
+ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+ {
+-	u16 offset = sizeof(struct ipv6hdr);
++	unsigned int offset = sizeof(struct ipv6hdr);
+ 	unsigned int packet_len = skb->tail - skb->network_header;
+ 	int found_rhdr = 0;
+ 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
+ 
+ 	while (offset <= packet_len) {
+ 		struct ipv6_opt_hdr *exthdr;
++		unsigned int len;
+ 
+ 		switch (**nexthdr) {
+ 
+@@ -593,7 +594,10 @@ int ip6_find_1stfragopt(struct sk_buff *
+ 
+ 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
+ 						 offset);
+-		offset += ipv6_optlen(exthdr);
++		len = ipv6_optlen(exthdr);
++		if (len + offset >= IPV6_MAXPLEN)
++			return -EINVAL;
++		offset += len;
+ 		*nexthdr = &exthdr->nexthdr;
+ 	}
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 65c2ca3..d8ccdca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1111,6 +1111,7 @@ bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
 features/all/net-add-kfree_skb_list.patch
 bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
 bugfix/arm/mm-larger-stack-guard-gap-between-vmas-arm-topdown.patch
+bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

