CVE-2017-5897 ip6_gre: Invalid reads in ip6gre_err (rhbz 1419848 1419851)
This commit is contained in:
Justin M. Forbes
parent
5d58fd5ccc
commit
29855d3561
91
ip6_gre-fix-ip6gre_err-invalid-reads.patch
Normal file
91
ip6_gre-fix-ip6gre_err-invalid-reads.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From 7892032cfe67f4bde6fc2ee967e45a8fbaf33756 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Sat, 4 Feb 2017 23:18:55 -0800
|
||||
Subject: ip6_gre: fix ip6gre_err() invalid reads
|
||||
|
||||
Andrey Konovalov reported out of bound accesses in ip6gre_err()
|
||||
|
||||
If GRE flags contains GRE_KEY, the following expression
|
||||
*(((__be32 *)p) + (grehlen / 4) - 1)
|
||||
|
||||
accesses data ~40 bytes after the expected point, since
|
||||
grehlen includes the size of IPv6 headers.
|
||||
|
||||
Let's use a "struct gre_base_hdr *greh" pointer to make this
|
||||
code more readable.
|
||||
|
||||
p[1] becomes greh->protocol.
|
||||
grhlen is the GRE header length.
|
||||
|
||||
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/ip6_gre.c | 40 +++++++++++++++++++++-------------------
|
||||
1 file changed, 21 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
|
||||
index 5586318..630b73b 100644
|
||||
--- a/net/ipv6/ip6_gre.c
|
||||
+++ b/net/ipv6/ip6_gre.c
|
||||
@@ -367,35 +367,37 @@ static void ip6gre_tunnel_uninit(struct net_device *dev)
|
||||
|
||||
|
||||
static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
|
||||
- u8 type, u8 code, int offset, __be32 info)
|
||||
+ u8 type, u8 code, int offset, __be32 info)
|
||||
{
|
||||
- const struct ipv6hdr *ipv6h = (const struct ipv6hdr *)skb->data;
|
||||
- __be16 *p = (__be16 *)(skb->data + offset);
|
||||
- int grehlen = offset + 4;
|
||||
+ const struct gre_base_hdr *greh;
|
||||
+ const struct ipv6hdr *ipv6h;
|
||||
+ int grehlen = sizeof(*greh);
|
||||
struct ip6_tnl *t;
|
||||
+ int key_off = 0;
|
||||
__be16 flags;
|
||||
+ __be32 key;
|
||||
|
||||
- flags = p[0];
|
||||
- if (flags&(GRE_CSUM|GRE_KEY|GRE_SEQ|GRE_ROUTING|GRE_VERSION)) {
|
||||
- if (flags&(GRE_VERSION|GRE_ROUTING))
|
||||
- return;
|
||||
- if (flags&GRE_KEY) {
|
||||
- grehlen += 4;
|
||||
- if (flags&GRE_CSUM)
|
||||
- grehlen += 4;
|
||||
- }
|
||||
+ if (!pskb_may_pull(skb, offset + grehlen))
|
||||
+ return;
|
||||
+ greh = (const struct gre_base_hdr *)(skb->data + offset);
|
||||
+ flags = greh->flags;
|
||||
+ if (flags & (GRE_VERSION | GRE_ROUTING))
|
||||
+ return;
|
||||
+ if (flags & GRE_CSUM)
|
||||
+ grehlen += 4;
|
||||
+ if (flags & GRE_KEY) {
|
||||
+ key_off = grehlen + offset;
|
||||
+ grehlen += 4;
|
||||
}
|
||||
|
||||
- /* If only 8 bytes returned, keyed message will be dropped here */
|
||||
- if (!pskb_may_pull(skb, grehlen))
|
||||
+ if (!pskb_may_pull(skb, offset + grehlen))
|
||||
return;
|
||||
ipv6h = (const struct ipv6hdr *)skb->data;
|
||||
- p = (__be16 *)(skb->data + offset);
|
||||
+ greh = (const struct gre_base_hdr *)(skb->data + offset);
|
||||
+ key = key_off ? *(__be32 *)(skb->data + key_off) : 0;
|
||||
|
||||
t = ip6gre_tunnel_lookup(skb->dev, &ipv6h->daddr, &ipv6h->saddr,
|
||||
- flags & GRE_KEY ?
|
||||
- *(((__be32 *)p) + (grehlen / 4) - 1) : 0,
|
||||
- p[1]);
|
||||
+ key, greh->protocol);
|
||||
if (!t)
|
||||
return;
|
||||
|
||||
--
|
||||
cgit v0.12
|
||||
|
||||
12
kernel.spec
12
kernel.spec
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
||||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 1
|
||||
%global baserelease 2
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
@ -125,7 +125,7 @@ Summary: The Linux kernel
|
||||
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
|
||||
# and 0 for rawhide (all kernels are debug kernels).
|
||||
# See also 'make debug' and 'make release'.
|
||||
%define debugbuildsenabled 1
|
||||
%define debugbuildsenabled 0
|
||||
|
||||
# Want to build a vanilla kernel build without any non-upstream patches?
|
||||
%define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0}
|
||||
@ -599,6 +599,10 @@ Patch853: 0001-Work-around-for-gcc7-and-arm64.patch
|
||||
#CVE-2017-2596 rhbz 1417812 1417813
|
||||
Patch854: kvm-fix-page-struct-leak-in-handle_vmon.patch
|
||||
|
||||
#CVE-2017-5897 rhbz 1419848 1419851
|
||||
Patch855: ip6_gre-fix-ip6gre_err-invalid-reads.patch
|
||||
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -2169,6 +2173,10 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Feb 07 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc7.git0.2
|
||||
- Reenable debugging options.
|
||||
- CVE-2017-5897 ip6_gre: Invalid reads in ip6gre_err (rhbz 1419848 1419851)
|
||||
|
||||
* Mon Feb 06 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.10.0-0.rc7.git0.1
|
||||
- Disable debugging options.
|
||||
- Linux v4.10-rc7
|
||||
|
||||
Loading…
Reference in New Issue
Block a user