Cipso: CVE-2018-10938

Cipso: cipso_v4_optptr enter infinite loop References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=40413955ee265a5e42f710940ec78f5450d49149 Change-Id: I2ddd252e706cc611c1b62175c1bd6ea1874a7974 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-12 08:07:26 +0200
committer: Adrian Dudau <Adrian.Dudau@enea.com> 2018-10-12 14:07:52 +0200
commit: 881dab83a4597d7c0e7ca75ccee3d8038ac1b31d (patch)
tree: 0e16dc7330a9b01f40370ac7e306225957c542f7
parent: ef996871247bfa6a05578a1d33eb466d6f7c149f (diff)
download: enea-kernel-cache-881dab83a4597d7c0e7ca75ccee3d8038ac1b31d.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index a296f8e..eef4955 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -9,3 +9,6 @@ patch CVE-2018-15572-x86-speculation-Protect-against-userspace-userspace-.patch
 #CVEs fixed in 4.9.121:
 patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch
+#CVEs fixed in 4.9.125:
+patch CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch
diff --git a/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch
new file mode 100644
index 0000000..68a5d28
--- /dev/null
+++ b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch
@@ -0,0 +1,47 @@
+From 40413955ee265a5e42f710940ec78f5450d49149 Mon Sep 17 00:00:00 2001
+From: "yujuan.qi" <yujuan.qi@mediatek.com>
+Date: Mon, 31 Jul 2017 11:23:01 +0800
+Subject: [PATCH] Cipso: cipso_v4_optptr enter infinite loop
+in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop.
+Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue
+CVE: CVE-2018-10938   
+Upstream-Status: Backport  
+Signed-off-by: yujuan.qi <yujuan.qi@mediatek.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/cipso_ipv4.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index c4c6e19..2ae8f54 100644
+--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
+@@ -1523,9 +1523,17 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+        int taglen;
+ 
+        for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
+-               if (optptr[0] == IPOPT_CIPSO)
+               switch (optptr[0]) {
+               case IPOPT_CIPSO:
+                        return optptr;
+-               taglen = optptr[1];
+               case IPOPT_END:
+                       return NULL;
+               case IPOPT_NOOP:
+                       taglen = 1;
+                       break;
+               default:
+                       taglen = optptr[1];
+               }
+                optlen -= taglen;
+                optptr += taglen;
+        }
+-- 
+2.7.4
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-12 08:07:26 +0200
committer	Adrian Dudau <Adrian.Dudau@enea.com>	2018-10-12 14:07:52 +0200
commit	881dab83a4597d7c0e7ca75ccee3d8038ac1b31d (patch)
tree	0e16dc7330a9b01f40370ac7e306225957c542f7
parent	ef996871247bfa6a05578a1d33eb466d6f7c149f (diff)
download	enea-kernel-cache-881dab83a4597d7c0e7ca75ccee3d8038ac1b31d.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index a296f8e..eef4955 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -9,3 +9,6 @@ patch CVE-2018-15572-x86-speculation-Protect-against-userspace-userspace-.patch
9		9
10	#CVEs fixed in 4.9.121:	10	#CVEs fixed in 4.9.121:
11	patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch	11	patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch
		12
		13	#CVEs fixed in 4.9.125:
		14	patch CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch


diff --git a/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch new file mode 100644 index 0000000..68a5d28 --- /dev/null +++ b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch
@@ -0,0 +1,47 @@
		1	From 40413955ee265a5e42f710940ec78f5450d49149 Mon Sep 17 00:00:00 2001
		2	From: "yujuan.qi" <yujuan.qi@mediatek.com>
		3	Date: Mon, 31 Jul 2017 11:23:01 +0800
		4	Subject: [PATCH] Cipso: cipso_v4_optptr enter infinite loop
		5
		6	in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop.
		7
		8	Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue
		9
		10	CVE: CVE-2018-10938
		11	Upstream-Status: Backport
		12
		13	Signed-off-by: yujuan.qi <yujuan.qi@mediatek.com>
		14	Acked-by: Paul Moore <paul@paul-moore.com>
		15	Signed-off-by: David S. Miller <davem@davemloft.net>
		16	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		17	---
		18	net/ipv4/cipso_ipv4.c \| 12 ++++++++++--
		19	1 file changed, 10 insertions(+), 2 deletions(-)
		20
		21	diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
		22	index c4c6e19..2ae8f54 100644
		23	--- a/net/ipv4/cipso_ipv4.c
		24	+++ b/net/ipv4/cipso_ipv4.c
		25	@@ -1523,9 +1523,17 @@ unsigned char cipso_v4_optptr(const struct sk_buff skb)
		26	int taglen;
		27
		28	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
		29	- if (optptr[0] == IPOPT_CIPSO)
		30	+ switch (optptr[0]) {
		31	+ case IPOPT_CIPSO:
		32	return optptr;
		33	- taglen = optptr[1];
		34	+ case IPOPT_END:
		35	+ return NULL;
		36	+ case IPOPT_NOOP:
		37	+ taglen = 1;
		38	+ break;
		39	+ default:
		40	+ taglen = optptr[1];
		41	+ }
		42	optlen -= taglen;
		43	optptr += taglen;
		44	}
		45	--
		46	2.7.4
		47