[linux] 02/02: ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jun 1 07:08:45 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 2502943c58ff305a8e09b8f804d8a49b5b57fff9
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Jun 1 08:36:43 2017 +0200

    ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)
---
 debian/changelog                                   |  1 +
 ...-out-of-bound-writes-in-__ip6_append_data.patch | 67 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 69 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index cc7b9bc..9757cfe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -418,6 +418,7 @@ linux (4.9.30-1) UNRELEASED; urgency=medium
   * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076
     CVE-2017-9077)
   * crypto: skcipher - Add missing API setkey checks (CVE-2017-9211)
+  * ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 08 May 2017 21:11:08 +0200
 
diff --git a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch b/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
new file mode 100644
index 0000000..3a2bf78
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
@@ -0,0 +1,67 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Fri, 19 May 2017 14:17:48 -0700
+Subject: ipv6: fix out of bound writes in __ip6_append_data()
+Origin: https://git.kernel.org/linus/232cd35d0804cc241eb887bb8d4d9b3b9881c64a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9242
+
+Andrey Konovalov and idaifish at gmail.com reported crashes caused by
+one skb shared_info being overwritten from __ip6_append_data()
+
+Andrey program lead to following state :
+
+copy -4200 datalen 2000 fraglen 2040
+maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200
+
+The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
+fraggap, 0); is overwriting skb->head and skb_shared_info
+
+Since we apparently detect this rare condition too late, move the
+code earlier to even avoid allocating skb and risking crashes.
+
+Once again, many thanks to Andrey and syzkaller team.
+
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Reported-by: <idaifish at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/ip6_output.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index d4a31be..bf8a58a 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1466,6 +1466,11 @@ static int __ip6_append_data(struct sock *sk,
+ 			 */
+ 			alloclen += sizeof(struct frag_hdr);
+ 
++			copy = datalen - transhdrlen - fraggap;
++			if (copy < 0) {
++				err = -EINVAL;
++				goto error;
++			}
+ 			if (transhdrlen) {
+ 				skb = sock_alloc_send_skb(sk,
+ 						alloclen + hh_len,
+@@ -1515,13 +1520,9 @@ static int __ip6_append_data(struct sock *sk,
+ 				data += fraggap;
+ 				pskb_trim_unique(skb_prev, maxfraglen);
+ 			}
+-			copy = datalen - transhdrlen - fraggap;
+-
+-			if (copy < 0) {
+-				err = -EINVAL;
+-				kfree_skb(skb);
+-				goto error;
+-			} else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
++			if (copy > 0 &&
++			    getfrag(from, data + transhdrlen, offset,
++				    copy, fraggap, skb) < 0) {
+ 				err = -EFAULT;
+ 				kfree_skb(skb);
+ 				goto error;
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 3a3e27b..cd9253c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -110,6 +110,7 @@ bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
 bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
 bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
 bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch
+bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list