[linux] 05/05: net/packet: Fix integer overflow in various range checks (CVE-2017-7308)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Mar 29 21:52:37 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit 8a7210aeea3106aab81c0196ce2520668f9eadbf
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Mar 29 22:50:53 2017 +0100

    net/packet: Fix integer overflow in various range checks (CVE-2017-7308)
---
 debian/changelog                                   |  1 +
 ...-fix-overflow-in-check-for-priv-area-size.patch | 34 ++++++++++++++++++++++
 ...ket-fix-overflow-in-check-for-tp_frame_nr.patch | 31 ++++++++++++++++++++
 ...cket-fix-overflow-in-check-for-tp_reserve.patch | 27 +++++++++++++++++
 debian/patches/series                              |  3 ++
 5 files changed, 96 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 22c3cbe..0458121 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -143,6 +143,7 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
     (CVE-2017-7261)
   * [x86] drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
     (CVE-2017-7294)
+  * net/packet: Fix integer overflow in various range checks (CVE-2017-7308)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 27 Mar 2017 21:54:36 +0100
 
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
new file mode 100644
index 0000000..51b6937
--- /dev/null
+++ b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
@@ -0,0 +1,34 @@
+From: Andrey Konovalov <andreyknvl at google.com>
+Date: Wed, 29 Mar 2017 16:11:20 +0200
+Subject: net/packet: fix overflow in check for priv area size
+Origin: https://patchwork.ozlabs.org/patch/744811/
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
+
+Subtracting tp_sizeof_priv from tp_block_size and casting to int
+to check whether one is less then the other doesn't always work
+(both of them are unsigned ints).
+
+Compare them as is instead.
+
+Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
+it can overflow inside BLK_PLUS_PRIV otherwise.
+
+Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4235,8 +4235,8 @@ static int packet_set_ring(struct sock *
+ 		if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
+ 			goto out;
+ 		if (po->tp_version >= TPACKET_V3 &&
+-		    (int)(req->tp_block_size -
+-			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
++		    req->tp_block_size <=
++			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+ 			goto out;
+ 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+ 					po->tp_reserve))
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
new file mode 100644
index 0000000..02434c8
--- /dev/null
+++ b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
@@ -0,0 +1,31 @@
+From: Andrey Konovalov <andreyknvl at google.com>
+Date: Wed, 29 Mar 2017 16:11:21 +0200
+Subject: net/packet: fix overflow in check for tp_frame_nr
+Origin: https://patchwork.ozlabs.org/patch/744812/
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
+
+When calculating rb->frames_per_block * req->tp_block_nr the result
+can overflow.
+
+Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
+
+Since frames_per_block <= tp_block_size, the expression would
+never overflow.
+
+Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4247,6 +4247,8 @@ static int packet_set_ring(struct sock *
+ 		rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
+ 		if (unlikely(rb->frames_per_block == 0))
+ 			goto out;
++		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
++			goto out;
+ 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
+ 					req->tp_frame_nr))
+ 			goto out;
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
new file mode 100644
index 0000000..491c30a
--- /dev/null
+++ b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
@@ -0,0 +1,27 @@
+From: Andrey Konovalov <andreyknvl at google.com>
+Date: Wed, 29 Mar 2017 16:11:22 +0200
+Subject: net/packet: fix overflow in check for tp_reserve
+Origin: https://patchwork.ozlabs.org/patch/744813/
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
+
+When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
+
+Fix by checking that tp_reserve <= INT_MAX on assign.
+
+Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3702,6 +3702,8 @@ packet_setsockopt(struct socket *sock, i
+ 			return -EBUSY;
+ 		if (copy_from_user(&val, optval, sizeof(val)))
+ 			return -EFAULT;
++		if (val > INT_MAX)
++			return -EINVAL;
+ 		po->tp_reserve = val;
+ 		return 0;
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index deab170..a6f7688 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -124,6 +124,9 @@ bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
 bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
 bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
 bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
+bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
+bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
+bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list