net: CVE-2017-17712

net: ipv4: fix for a race condition in raw_sendmsg References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=d61b40939ebdc84dad77dbc78c3e26ad9d2da68b Change-Id: I19651e5496e4eca18e96b6bd7a9d2b542e30ac91 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 15:33:02 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-25 13:26:24 +0200
commit: 10f6ab5aea81a94af751bbdbebbf49303d83879f (patch)
tree: 68ff29ff9f73f612e3b9fca5b3d2e4c8b3fac204
parent: 5c82e974204fec2340cd7d24a54a15118fe0f4f9 (diff)
download: enea-kernel-cache-10f6ab5aea81a94af751bbdbebbf49303d83879f.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index f0ed6a8..097fea5 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -38,3 +38,5 @@ patch CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
 #fixed in 4.1.51
 patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
+#fixed in 4.1.52
+patch CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
diff --git a/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
new file mode 100644
index 0000000..fa13430
--- /dev/null
+++ b/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
@@ -0,0 +1,80 @@
+From d61b40939ebdc84dad77dbc78c3e26ad9d2da68b Mon Sep 17 00:00:00 2001
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Sun, 10 Dec 2017 03:50:58 +0000
+Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg
+[ Upstream commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 ]
+inet->hdrincl is racy, and could lead to uninitialized stack pointer
+usage, so its value should be read only once.
+Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
+CVE: CVE-2017-17712  
+Upstream-Status: Backport  
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/raw.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index 9a2294d..acf09ab 100644
+--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
+@@ -496,11 +496,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+        int err;
+        struct ip_options_data opt_copy;
+        struct raw_frag_vec rfv;
+       int hdrincl;
+ 
+        err = -EMSGSIZE;
+        if (len > 0xFFFF)
+                goto out;
+ 
+       /* hdrincl should be READ_ONCE(inet->hdrincl)
+        * but READ_ONCE() doesn't work with bit fields
+        */
+       hdrincl = inet->hdrincl;
+        /*
+         *      Check the flags.
+         */
+@@ -575,7 +580,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+                /* Linux does not mangle headers on raw sockets,
+                 * so that IP options + IP_HDRINCL is non-sense.
+                 */
+-               if (inet->hdrincl)
+               if (hdrincl)
+                        goto done;
+                if (ipc.opt->opt.srr) {
+                        if (!daddr)
+@@ -597,12 +602,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 
+        flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
+                           RT_SCOPE_UNIVERSE,
+-                          inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+                          hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+                           inet_sk_flowi_flags(sk) |
+-                           (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+                           (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+                           daddr, saddr, 0, 0);
+ 
+-       if (!inet->hdrincl) {
+       if (!hdrincl) {
+                rfv.msg = msg;
+                rfv.hlen = 0;
+ 
+@@ -627,7 +632,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+                goto do_confirm;
+ back_from_confirm:
+ 
+-       if (inet->hdrincl)
+       if (hdrincl)
+                err = raw_send_hdrinc(sk, &fl4, msg, len,
+                                      &rt, msg->msg_flags);
+ 
+--
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 15:33:02 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-25 13:26:24 +0200
commit	10f6ab5aea81a94af751bbdbebbf49303d83879f (patch)
tree	68ff29ff9f73f612e3b9fca5b3d2e4c8b3fac204
parent	5c82e974204fec2340cd7d24a54a15118fe0f4f9 (diff)
download	enea-kernel-cache-10f6ab5aea81a94af751bbdbebbf49303d83879f.tar.gz

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index f0ed6a8..097fea5 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc
@@ -38,3 +38,5 @@ patch CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
38	#fixed in 4.1.51	38	#fixed in 4.1.51
39	patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch	39	patch CVE-2018-1068-netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
40		40
		41	#fixed in 4.1.52
		42	patch CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch


diff --git a/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch new file mode 100644 index 0000000..fa13430 --- /dev/null +++ b/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
@@ -0,0 +1,80 @@
		1	From d61b40939ebdc84dad77dbc78c3e26ad9d2da68b Mon Sep 17 00:00:00 2001
		2	From: Mohamed Ghannam <simo.ghannam@gmail.com>
		3	Date: Sun, 10 Dec 2017 03:50:58 +0000
		4	Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg
		5
		6	[ Upstream commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 ]
		7
		8	inet->hdrincl is racy, and could lead to uninitialized stack pointer
		9	usage, so its value should be read only once.
		10
		11	Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
		12
		13	CVE: CVE-2017-17712
		14	Upstream-Status: Backport
		15
		16	Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
		17	Reviewed-by: Eric Dumazet <edumazet@google.com>
		18	Signed-off-by: David S. Miller <davem@davemloft.net>
		19	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
		20	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		21	---
		22	net/ipv4/raw.c \| 15 ++++++++++-----
		23	1 file changed, 10 insertions(+), 5 deletions(-)
		24
		25	diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
		26	index 9a2294d..acf09ab 100644
		27	--- a/net/ipv4/raw.c
		28	+++ b/net/ipv4/raw.c
		29	@@ -496,11 +496,16 @@ static int raw_sendmsg(struct sock sk, struct msghdr msg, size_t len)
		30	int err;
		31	struct ip_options_data opt_copy;
		32	struct raw_frag_vec rfv;
		33	+ int hdrincl;
		34
		35	err = -EMSGSIZE;
		36	if (len > 0xFFFF)
		37	goto out;
		38
		39	+ /* hdrincl should be READ_ONCE(inet->hdrincl)
		40	+ * but READ_ONCE() doesn't work with bit fields
		41	+ */
		42	+ hdrincl = inet->hdrincl;
		43	/*
		44	* Check the flags.
		45	*/
		46	@@ -575,7 +580,7 @@ static int raw_sendmsg(struct sock sk, struct msghdr msg, size_t len)
		47	/* Linux does not mangle headers on raw sockets,
		48	* so that IP options + IP_HDRINCL is non-sense.
		49	*/
		50	- if (inet->hdrincl)
		51	+ if (hdrincl)
		52	goto done;
		53	if (ipc.opt->opt.srr) {
		54	if (!daddr)
		55	@@ -597,12 +602,12 @@ static int raw_sendmsg(struct sock sk, struct msghdr msg, size_t len)
		56
		57	flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
		58	RT_SCOPE_UNIVERSE,
		59	- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
		60	+ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
		61	inet_sk_flowi_flags(sk) \|
		62	- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
		63	+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
		64	daddr, saddr, 0, 0);
		65
		66	- if (!inet->hdrincl) {
		67	+ if (!hdrincl) {
		68	rfv.msg = msg;
		69	rfv.hlen = 0;
		70
		71	@@ -627,7 +632,7 @@ static int raw_sendmsg(struct sock sk, struct msghdr msg, size_t len)
		72	goto do_confirm;
		73	back_from_confirm:
		74
		75	- if (inet->hdrincl)
		76	+ if (hdrincl)
		77	err = raw_send_hdrinc(sk, &fl4, msg, len,
		78	&rt, msg->msg_flags);
		79
		80	--