[linux] 01/01: Add follow-up fixes for CVE-2017-9074

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jun 8 14:37:18 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit 9bf3ee218c26c712f50e67e965fbb9cef59dcd32
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Jun 8 15:37:04 2017 +0100

    Add follow-up fixes for CVE-2017-9074
---
 debian/changelog                                   |  2 ++
 .../all/ipv6-fix-leak-in-ipv6_gso_segment.patch    | 32 +++++++++++++++++
 ...andle-errors-reported-by-xfrm6_find_1stfr.patch | 40 ++++++++++++++++++++++
 debian/patches/series                              |  2 ++
 4 files changed, 76 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index df544ec..9e3fefc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -16,6 +16,8 @@ linux (4.11.4-1) UNRELEASED; urgency=medium
   [ Ben Hutchings ]
   * [x86] Enable SERIAL_8250_MID as built-in (Closes: #864368)
   * Set ABI to 1
+  * ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
+  * ipv6: Fix leak in ipv6_gso_segment().
 
  -- Ben Hutchings <ben at decadent.org.uk>  Tue, 06 Jun 2017 20:43:11 +0100
 
diff --git a/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch b/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
new file mode 100644
index 0000000..c5142b2
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
@@ -0,0 +1,32 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Sun, 4 Jun 2017 21:41:10 -0400
+Subject: ipv6: Fix leak in ipv6_gso_segment().
+Origin: https://git.kernel.org/linus/e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
+
+If ip6_find_1stfragopt() fails and we return an error we have to free
+up 'segs' because nobody else is going to.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Reported-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/ip6_offload.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
+index 280268f1dd7b..cdb3728faca7 100644
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -116,8 +116,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
+ 
+ 		if (udpfrag) {
+ 			int err = ip6_find_1stfragopt(skb, &prevhdr);
+-			if (err < 0)
++			if (err < 0) {
++				kfree_skb_list(segs);
+ 				return ERR_PTR(err);
++			}
+ 			fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
+ 			fptr->frag_off = htons(offset);
+ 			if (skb->next)
diff --git a/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch b/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
new file mode 100644
index 0000000..02ea18f
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
@@ -0,0 +1,40 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Wed, 31 May 2017 13:15:41 +0100
+Subject: ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
+Origin: https://git.kernel.org/linus/6e80ac5cc992ab6256c3dae87f7e57db15e1a58c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
+
+xfrm6_find_1stfragopt() may now return an error code and we must
+not treat it as a length.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Acked-by: Craig Gallek <kraig at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/xfrm6_mode_ro.c        | 2 ++
+ net/ipv6/xfrm6_mode_transport.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/net/ipv6/xfrm6_mode_ro.c
++++ b/net/ipv6/xfrm6_mode_ro.c
+@@ -47,6 +47,8 @@ static int xfrm6_ro_output(struct xfrm_s
+ 	iph = ipv6_hdr(skb);
+ 
+ 	hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
++	if (hdr_len < 0)
++		return hdr_len;
+ 	skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
+ 	skb_set_network_header(skb, -x->props.header_len);
+ 	skb->transport_header = skb->network_header + hdr_len;
+--- a/net/ipv6/xfrm6_mode_transport.c
++++ b/net/ipv6/xfrm6_mode_transport.c
+@@ -28,6 +28,8 @@ static int xfrm6_transport_output(struct
+ 	iph = ipv6_hdr(skb);
+ 
+ 	hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
++	if (hdr_len < 0)
++		return hdr_len;
+ 	skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
+ 	skb_set_network_header(skb, -x->props.header_len);
+ 	skb->transport_header = skb->network_header + hdr_len;
diff --git a/debian/patches/series b/debian/patches/series
index 2930b7b..a6ff411 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -143,6 +143,8 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
 bugfix/all/sunrpc-refactor-svc_set_num_threads.patch
 bugfix/all/nfsv4-fix-callback-server-shutdown.patch
+bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
+bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list