net: CVE-2016-8399

net: ping: check minimum size on ICMP header length References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=efcf38bd40200212ef3de3d38e11c42958f8afaa Change-Id: Ib7b313065ab829ae90eef2635ad923224e525245 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 14:09:42 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 14:09:42 +0200
commit: 603c99ecf5d16918c4062b273aa269d8ccdd6145 (patch)
tree: 2b3a69566ebddbbffee588a57caaa82fb474762a
parent: 0368c4076f4017571a5e8a617763859a84277427 (diff)
download: enea-kernel-cache-603c99ecf5d16918c4062b273aa269d8ccdd6145.tar.gz
2 files changed, 78 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 613c8d9..26b7fd8 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -1,2 +1,3 @@
 #fixed in 4.1.37
 patch CVE-2016-7039-net-add-recursion-limit-to-GRO.patch
+patch CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch
diff --git a/patches/cve/CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch b/patches/cve/CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch
new file mode 100644
index 0000000..bb3fd96
--- /dev/null
+++ b/patches/cve/CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch
@@ -0,0 +1,77 @@
+From efcf38bd40200212ef3de3d38e11c42958f8afaa Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 14 Dec 2016 13:24:57 +0100
+Subject: [PATCH] net: ping: check minimum size on ICMP header length
+[ Upstream commit 0eab121ef8750a5c8637d51534d5e9143fb0633f ]
+Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
+was no check that the iovec contained enough bytes for an ICMP header,
+and the read loop would walk across neighboring stack contents. Since the
+iov_iter conversion, bad arguments are noticed, but the returned error is
+EFAULT. Returning EINVAL is a clearer error and also solves the problem
+prior to v3.19.
+This was found using trinity with KASAN on v3.18:
+BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
+Read of size 8 by task trinity-c2/9623
+page:ffffffbe034b9a08 count:0 mapcount:0 mapping:          (null) index:0x0
+flags: 0x0()
+page dumped because: kasan: bad access detected
+CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G    BU         3.18.0-dirty #15
+Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
+Call trace:
+[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
+[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
+[<     inline     >] __dump_stack lib/dump_stack.c:15
+[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
+[<     inline     >] print_address_description mm/kasan/report.c:147
+[<     inline     >] kasan_report_error mm/kasan/report.c:236
+[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
+[<     inline     >] check_memory_region mm/kasan/kasan.c:264
+[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
+[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
+[<     inline     >] memcpy_from_msg include/linux/skbuff.h:2667
+[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
+[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
+[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
+[<     inline     >] __sock_sendmsg_nosec net/socket.c:624
+[<     inline     >] __sock_sendmsg net/socket.c:632
+[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
+[<     inline     >] SYSC_sendto net/socket.c:1797
+[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
+CVE-2016-8399
+Upstream-Status: Backport
+Reported-by: Qidan He <i@flanker017.me>
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Philipp Hahn <hahn@univention.de>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/ping.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index f6ee0d5..3dac3d4 100644
+--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
+@@ -659,6 +659,10 @@ int ping_common_sendmsg(int family, struct msghdr *msg, size_t len,
+        if (len > 0xFFFF)
+                return -EMSGSIZE;
+ 
+       /* Must have at least a full ICMP header. */
+       if (len < icmph_len)
+               return -EINVAL;
+
+        /*
+         *      Check the flags.
+         */
+--
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 14:09:42 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 14:09:42 +0200
commit	603c99ecf5d16918c4062b273aa269d8ccdd6145 (patch)
tree	2b3a69566ebddbbffee588a57caaa82fb474762a
parent	0368c4076f4017571a5e8a617763859a84277427 (diff)
download	enea-kernel-cache-603c99ecf5d16918c4062b273aa269d8ccdd6145.tar.gz

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 613c8d9..26b7fd8 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc
@@ -1,2 +1,3 @@
1	#fixed in 4.1.37	1	#fixed in 4.1.37
2	patch CVE-2016-7039-net-add-recursion-limit-to-GRO.patch	2	patch CVE-2016-7039-net-add-recursion-limit-to-GRO.patch
		3	patch CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch


diff --git a/patches/cve/CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch b/patches/cve/CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch new file mode 100644 index 0000000..bb3fd96 --- /dev/null +++ b/patches/cve/CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch
@@ -0,0 +1,77 @@
		1	From efcf38bd40200212ef3de3d38e11c42958f8afaa Mon Sep 17 00:00:00 2001
		2	From: Kees Cook <keescook@chromium.org>
		3	Date: Wed, 14 Dec 2016 13:24:57 +0100
		4	Subject: [PATCH] net: ping: check minimum size on ICMP header length
		5
		6	[ Upstream commit 0eab121ef8750a5c8637d51534d5e9143fb0633f ]
		7
		8	Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
		9	was no check that the iovec contained enough bytes for an ICMP header,
		10	and the read loop would walk across neighboring stack contents. Since the
		11	iov_iter conversion, bad arguments are noticed, but the returned error is
		12	EFAULT. Returning EINVAL is a clearer error and also solves the problem
		13	prior to v3.19.
		14
		15	This was found using trinity with KASAN on v3.18:
		16
		17	BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
		18	Read of size 8 by task trinity-c2/9623
		19	page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0
		20	flags: 0x0()
		21	page dumped because: kasan: bad access detected
		22	CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15
		23	Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
		24	Call trace:
		25	[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
		26	[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
		27	[< inline >] __dump_stack lib/dump_stack.c:15
		28	[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
		29	[< inline >] print_address_description mm/kasan/report.c:147
		30	[< inline >] kasan_report_error mm/kasan/report.c:236
		31	[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
		32	[< inline >] check_memory_region mm/kasan/kasan.c:264
		33	[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
		34	[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
		35	[< inline >] memcpy_from_msg include/linux/skbuff.h:2667
		36	[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
		37	[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
		38	[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
		39	[< inline >] __sock_sendmsg_nosec net/socket.c:624
		40	[< inline >] __sock_sendmsg net/socket.c:632
		41	[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
		42	[< inline >] SYSC_sendto net/socket.c:1797
		43	[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
		44
		45	CVE-2016-8399
		46	Upstream-Status: Backport
		47
		48	Reported-by: Qidan He <i@flanker017.me>
		49	Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
		50	Cc: stable@vger.kernel.org
		51	Signed-off-by: Kees Cook <keescook@chromium.org>
		52	Signed-off-by: David S. Miller <davem@davemloft.net>
		53	Signed-off-by: Philipp Hahn <hahn@univention.de>
		54	Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
		55	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		56	---
		57	net/ipv4/ping.c \| 4 ++++
		58	1 file changed, 4 insertions(+)
		59
		60	diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
		61	index f6ee0d5..3dac3d4 100644
		62	--- a/net/ipv4/ping.c
		63	+++ b/net/ipv4/ping.c
		64	@@ -659,6 +659,10 @@ int ping_common_sendmsg(int family, struct msghdr *msg, size_t len,
		65	if (len > 0xFFFF)
		66	return -EMSGSIZE;
		67
		68	+ /* Must have at least a full ICMP header. */
		69	+ if (len < icmph_len)
		70	+ return -EINVAL;
		71	+
		72	/*
		73	* Check the flags.
		74	*/
		75	--
		76
		77