[linux] 01/05: xfrm_user: Apply fixes for CVE-2017-7184

Wed Mar 29 21:52:37 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit 3e739d51e3a2a03d41f2e884fb7bb5167cd45bc9
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Mar 29 22:28:05 2017 +0100

    xfrm_user: Apply fixes for CVE-2017-7184
---
 debian/changelog                                   |  3 ++
 ...e-xfrm_msg_newae-incoming-esn-size-harder.patch | 34 ++++++++++++++++++
 ..._newae-xfrma_replay_esn_val-replay_window.patch | 42 ++++++++++++++++++++++
 debian/patches/series                              |  2 ++
 4 files changed, 81 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e3613f8..88fb015 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -135,6 +135,9 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
     - futex: Drop hb->lock before enqueueing on the rtmutex
     - futex: workaround migrate_disable/enable in different context
     - Revert "kernel/futex: don't deboost too early"
+  * xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
+    (CVE-2017-7184)
+  * xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 27 Mar 2017 21:54:36 +0100
 
diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
new file mode 100644
index 0000000..faf3861
--- /dev/null
+++ b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
@@ -0,0 +1,34 @@
+From: Andy Whitcroft <apw at canonical.com>
+Date: Thu, 23 Mar 2017 07:45:44 +0000
+Subject: [PATCH 2/2] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size
+ harder
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
+
+Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
+wrapping issues.  To ensure we are correctly ensuring that the two ESN
+structures are the same size compare both the overall size as reported
+by xfrm_replay_state_esn_len() and the internal length are the same.
+
+CVE-2017-7184
+Signed-off-by: Andy Whitcroft <apw at canonical.com>
+---
+ net/xfrm/xfrm_user.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 81c4112..87e0c22 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
+ 	up = nla_data(rp);
+ 	ulen = xfrm_replay_state_esn_len(up);
+ 
+-	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
++	/* Check the overall length and the internal bitmap length to avoid
++	 * potential overflow. */
++	if (nla_len(rp) < ulen ||
++	    xfrm_replay_state_esn_len(replay_esn) != ulen ||
++	    replay_esn->bmp_len != up->bmp_len)
+ 		return -EINVAL;
+ 
+ 	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
new file mode 100644
index 0000000..758973e
--- /dev/null
+++ b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
@@ -0,0 +1,42 @@
+From: Andy Whitcroft <apw at canonical.com>
+Date: Wed, 22 Mar 2017 07:29:31 +0000
+Subject: [PATCH 1/2] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL
+ replay_window
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
+
+When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate
+the user supplied replay_esn to ensure that the size is valid and to ensure
+that the replay_window size is within the allocated buffer.  However later
+it is possible to update this replay_esn via a XFRM_MSG_NEWAE call.
+There we again validate the size of the supplied buffer matches the
+existing state and if so inject the contents.  We do not at this point
+check that the replay_window is within the allocated memory.  This leads
+to out-of-bounds reads and writes triggered by netlink packets.  This leads
+to memory corruption and the potential for priviledge escalation.
+
+We already attempt to validate the incoming replay information in
+xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the
+user is not trying to change the size of the replay state buffer which
+includes the replay_esn.  It however does not check the replay_window
+remains within that buffer.  Add validation of the contained replay_window.
+
+CVE-2017-7184
+Signed-off-by: Andy Whitcroft <apw at canonical.com>
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 0889209..81c4112 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
+ 	if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+ 		return -EINVAL;
+ 
++	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
++		return -EINVAL;
++
+ 	return 0;
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 8298e5d..145dfa6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -119,6 +119,8 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
 debian/time-mark-timer_stats-as-broken.patch
 bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
+bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
+bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

