[linux] 02/03: xfrm: policy: check policy direction value (CVE-2017-11600)

Thu Aug 17 23:59:45 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 9874382b076afddb113de4da60a31e165124d5bf
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Aug 17 23:01:55 2017 +0100

    xfrm: policy: check policy direction value (CVE-2017-11600)
---
 debian/changelog                                   |  1 +
 .../xfrm-policy-check-policy-direction-value.patch | 40 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 42 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index fb79b5e..9c72ef0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -95,6 +95,7 @@ linux (3.2.91-1) UNRELEASED; urgency=medium
   * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
   * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176)
   * timerfd: Protect the might cancel mechanism proper (CVE-2017-10661)
+  * xfrm: policy: check policy direction value (CVE-2017-11600)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 03 Jul 2017 17:17:55 +0100
 
diff --git a/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch b/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch
new file mode 100644
index 0000000..251d090
--- /dev/null
+++ b/debian/patches/bugfix/all/xfrm-policy-check-policy-direction-value.patch
@@ -0,0 +1,40 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Date: Wed, 2 Aug 2017 19:50:14 +0200
+Subject: xfrm: policy: check policy direction value
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit?id=7bab09631c2a303f87a7eb7e3d69e888673b9b7e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-11600
+
+The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
+as an array index. This can lead to an out-of-bound access, kernel lockup and
+DoS. Add a check for the 'dir' value.
+
+This fixes CVE-2017-11600.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Cc: <stable at vger.kernel.org> # v2.6.21-rc1
+Reported-by: "bo Zhang" <zhangbo5891001 at gmail.com>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
+---
+ net/xfrm/xfrm_policy.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -2942,9 +2942,15 @@ int xfrm_migrate(const struct xfrm_selec
+ 	struct xfrm_state *x_new[XFRM_MAX_DEPTH];
+ 	struct xfrm_migrate *mp;
+ 
++	/* Stage 0 - sanity checks */
+ 	if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
+ 		goto out;
+ 
++	if (dir >= XFRM_POLICY_MAX) {
++		err = -EINVAL;
++		goto out;
++	}
++
+ 	/* Stage 1 - find policy */
+ 	if ((pol = xfrm_migrate_policy_find(sel, dir, type)) == NULL) {
+ 		err = -ENOENT;
diff --git a/debian/patches/series b/debian/patches/series
index fa106a3..e934d8e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1114,6 +1114,7 @@ bugfix/arm/mm-larger-stack-guard-gap-between-vmas-arm-topdown.patch
 bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
 bugfix/all/mqueue-fix-a-use-after-free-in-sys_mq_notify.patch
 bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch
+bugfix/all/xfrm-policy-check-policy-direction-value.patch
 
 # ABI maintenance
 debian/perf-hide-abi-change-in-3.2.30.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

