diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-17 14:09:42 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-17 14:09:42 +0200 |
commit | 603c99ecf5d16918c4062b273aa269d8ccdd6145 (patch) | |
tree | 2b3a69566ebddbbffee588a57caaa82fb474762a | |
parent | 0368c4076f4017571a5e8a617763859a84277427 (diff) | |
download | enea-kernel-cache-603c99ecf5d16918c4062b273aa269d8ccdd6145.tar.gz |
net: CVE-2016-8399
net: ping: check minimum size on ICMP header length
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=efcf38bd40200212ef3de3d38e11c42958f8afaa
Change-Id: Ib7b313065ab829ae90eef2635ad923224e525245
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.1.x.scc | 1 | ||||
-rw-r--r-- | patches/cve/CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch | 77 |
2 files changed, 78 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 613c8d9..26b7fd8 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc | |||
@@ -1,2 +1,3 @@ | |||
1 | #fixed in 4.1.37 | 1 | #fixed in 4.1.37 |
2 | patch CVE-2016-7039-net-add-recursion-limit-to-GRO.patch | 2 | patch CVE-2016-7039-net-add-recursion-limit-to-GRO.patch |
3 | patch CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch | ||
diff --git a/patches/cve/CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch b/patches/cve/CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch new file mode 100644 index 0000000..bb3fd96 --- /dev/null +++ b/patches/cve/CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | From efcf38bd40200212ef3de3d38e11c42958f8afaa Mon Sep 17 00:00:00 2001 | ||
2 | From: Kees Cook <keescook@chromium.org> | ||
3 | Date: Wed, 14 Dec 2016 13:24:57 +0100 | ||
4 | Subject: [PATCH] net: ping: check minimum size on ICMP header length | ||
5 | |||
6 | [ Upstream commit 0eab121ef8750a5c8637d51534d5e9143fb0633f ] | ||
7 | |||
8 | Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there | ||
9 | was no check that the iovec contained enough bytes for an ICMP header, | ||
10 | and the read loop would walk across neighboring stack contents. Since the | ||
11 | iov_iter conversion, bad arguments are noticed, but the returned error is | ||
12 | EFAULT. Returning EINVAL is a clearer error and also solves the problem | ||
13 | prior to v3.19. | ||
14 | |||
15 | This was found using trinity with KASAN on v3.18: | ||
16 | |||
17 | BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0 | ||
18 | Read of size 8 by task trinity-c2/9623 | ||
19 | page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0 | ||
20 | flags: 0x0() | ||
21 | page dumped because: kasan: bad access detected | ||
22 | CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15 | ||
23 | Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT) | ||
24 | Call trace: | ||
25 | [<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90 | ||
26 | [<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171 | ||
27 | [< inline >] __dump_stack lib/dump_stack.c:15 | ||
28 | [<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50 | ||
29 | [< inline >] print_address_description mm/kasan/report.c:147 | ||
30 | [< inline >] kasan_report_error mm/kasan/report.c:236 | ||
31 | [<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259 | ||
32 | [< inline >] check_memory_region mm/kasan/kasan.c:264 | ||
33 | [<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507 | ||
34 | [<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15 | ||
35 | [< inline >] memcpy_from_msg include/linux/skbuff.h:2667 | ||
36 | [<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674 | ||
37 | [<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714 | ||
38 | [<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749 | ||
39 | [< inline >] __sock_sendmsg_nosec net/socket.c:624 | ||
40 | [< inline >] __sock_sendmsg net/socket.c:632 | ||
41 | [<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643 | ||
42 | [< inline >] SYSC_sendto net/socket.c:1797 | ||
43 | [<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761 | ||
44 | |||
45 | CVE-2016-8399 | ||
46 | Upstream-Status: Backport | ||
47 | |||
48 | Reported-by: Qidan He <i@flanker017.me> | ||
49 | Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") | ||
50 | Cc: stable@vger.kernel.org | ||
51 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
52 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
53 | Signed-off-by: Philipp Hahn <hahn@univention.de> | ||
54 | Signed-off-by: Sasha Levin <alexander.levin@verizon.com> | ||
55 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
56 | --- | ||
57 | net/ipv4/ping.c | 4 ++++ | ||
58 | 1 file changed, 4 insertions(+) | ||
59 | |||
60 | diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c | ||
61 | index f6ee0d5..3dac3d4 100644 | ||
62 | --- a/net/ipv4/ping.c | ||
63 | +++ b/net/ipv4/ping.c | ||
64 | @@ -659,6 +659,10 @@ int ping_common_sendmsg(int family, struct msghdr *msg, size_t len, | ||
65 | if (len > 0xFFFF) | ||
66 | return -EMSGSIZE; | ||
67 | |||
68 | + /* Must have at least a full ICMP header. */ | ||
69 | + if (len < icmph_len) | ||
70 | + return -EINVAL; | ||
71 | + | ||
72 | /* | ||
73 | * Check the flags. | ||
74 | */ | ||
75 | -- | ||
76 | |||
77 | |||