diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2017-08-03 20:31:35 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2017-08-03 20:32:16 +0200 |
commit | 9f89bea8ab330f87c09225d5dfcdcdcfeaf8d24c (patch) | |
tree | 5f9b0a221a604b21fd282d6cc9fe53effe9c10aa | |
parent | b5081c50bcc119101beb307ff5950f964d042d14 (diff) | |
download | kernel_replicant_linux-9f89bea8ab330f87c09225d5dfcdcdcfeaf8d24c.tar.gz kernel_replicant_linux-9f89bea8ab330f87c09225d5dfcdcdcfeaf8d24c.tar.bz2 kernel_replicant_linux-9f89bea8ab330f87c09225d5dfcdcdcfeaf8d24c.zip |
ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542)
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch | 55 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 57 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 40e7caefb83b..1afb0327a838 100644 --- a/debian/changelog +++ b/debian/changelog @@ -25,6 +25,7 @@ linux (4.12.3-1~exp1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * dentry name snapshots (CVE-2017-7533) + * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542) -- Ben Hutchings <ben@decadent.org.uk> Tue, 18 Jul 2017 13:26:41 +0100 diff --git a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch new file mode 100644 index 000000000000..d1b4d726f32e --- /dev/null +++ b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch @@ -0,0 +1,55 @@ +From: Sabrina Dubroca <sd@queasysnail.net> +Date: Wed, 19 Jul 2017 22:28:55 +0200 +Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt +Origin: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7542 + +In some cases, offset can overflow and can cause an infinite loop in +ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and +cap it at IPV6_MAXPLEN, since packets larger than that should be invalid. + +This problem has been here since before the beginning of git history. + +Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> +Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/output_core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c +index e9065b8d3af8..abb2c307fbe8 100644 +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident); + + int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + { +- u16 offset = sizeof(struct ipv6hdr); ++ unsigned int offset = sizeof(struct ipv6hdr); + unsigned int packet_len = skb_tail_pointer(skb) - + skb_network_header(skb); + int found_rhdr = 0; +@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + + while (offset <= packet_len) { + struct ipv6_opt_hdr *exthdr; ++ unsigned int len; + + switch (**nexthdr) { + +@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) + + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + + offset); +- offset += ipv6_optlen(exthdr); ++ len = ipv6_optlen(exthdr); ++ if (len + offset >= IPV6_MAXPLEN) ++ return -EINVAL; ++ offset += len; + *nexthdr = &exthdr->nexthdr; + } + +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index aaf535a9b432..32c61ae9c629 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -118,6 +118,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/dentry-name-snapshots.patch +bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch |