diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-12 08:07:26 +0200 |
---|---|---|
committer | Adrian Dudau <Adrian.Dudau@enea.com> | 2018-10-12 14:07:52 +0200 |
commit | 881dab83a4597d7c0e7ca75ccee3d8038ac1b31d (patch) | |
tree | 0e16dc7330a9b01f40370ac7e306225957c542f7 | |
parent | ef996871247bfa6a05578a1d33eb466d6f7c149f (diff) | |
download | enea-kernel-cache-881dab83a4597d7c0e7ca75ccee3d8038ac1b31d.tar.gz |
Cipso: CVE-2018-10938
Cipso: cipso_v4_optptr enter infinite loop
References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=40413955ee265a5e42f710940ec78f5450d49149
Change-Id: I2ddd252e706cc611c1b62175c1bd6ea1874a7974
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
-rw-r--r-- | patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch | 47 |
2 files changed, 50 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index a296f8e..eef4955 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
@@ -9,3 +9,6 @@ patch CVE-2018-15572-x86-speculation-Protect-against-userspace-userspace-.patch | |||
9 | 9 | ||
10 | #CVEs fixed in 4.9.121: | 10 | #CVEs fixed in 4.9.121: |
11 | patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch | 11 | patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch |
12 | |||
13 | #CVEs fixed in 4.9.125: | ||
14 | patch CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch | ||
diff --git a/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch new file mode 100644 index 0000000..68a5d28 --- /dev/null +++ b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 40413955ee265a5e42f710940ec78f5450d49149 Mon Sep 17 00:00:00 2001 | ||
2 | From: "yujuan.qi" <yujuan.qi@mediatek.com> | ||
3 | Date: Mon, 31 Jul 2017 11:23:01 +0800 | ||
4 | Subject: [PATCH] Cipso: cipso_v4_optptr enter infinite loop | ||
5 | |||
6 | in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop. | ||
7 | |||
8 | Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue | ||
9 | |||
10 | CVE: CVE-2018-10938 | ||
11 | Upstream-Status: Backport | ||
12 | |||
13 | Signed-off-by: yujuan.qi <yujuan.qi@mediatek.com> | ||
14 | Acked-by: Paul Moore <paul@paul-moore.com> | ||
15 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
16 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
17 | --- | ||
18 | net/ipv4/cipso_ipv4.c | 12 ++++++++++-- | ||
19 | 1 file changed, 10 insertions(+), 2 deletions(-) | ||
20 | |||
21 | diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c | ||
22 | index c4c6e19..2ae8f54 100644 | ||
23 | --- a/net/ipv4/cipso_ipv4.c | ||
24 | +++ b/net/ipv4/cipso_ipv4.c | ||
25 | @@ -1523,9 +1523,17 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) | ||
26 | int taglen; | ||
27 | |||
28 | for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) { | ||
29 | - if (optptr[0] == IPOPT_CIPSO) | ||
30 | + switch (optptr[0]) { | ||
31 | + case IPOPT_CIPSO: | ||
32 | return optptr; | ||
33 | - taglen = optptr[1]; | ||
34 | + case IPOPT_END: | ||
35 | + return NULL; | ||
36 | + case IPOPT_NOOP: | ||
37 | + taglen = 1; | ||
38 | + break; | ||
39 | + default: | ||
40 | + taglen = optptr[1]; | ||
41 | + } | ||
42 | optlen -= taglen; | ||
43 | optptr += taglen; | ||
44 | } | ||
45 | -- | ||
46 | 2.7.4 | ||
47 | |||