diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-17 15:23:04 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-25 13:23:40 +0200 |
commit | 681524e0001dcc066fc226897c85cc4c7998ac7c (patch) | |
tree | c99d93290196046478efc8570fd26275b1276129 | |
parent | 24c62aba579409ee500ff06e92b6f6a66add2e21 (diff) | |
download | enea-kernel-cache-681524e0001dcc066fc226897c85cc4c7998ac7c.tar.gz |
xfrm_user: CVE-2017-7184
xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=171a957989c4f398adb41078dbfff73b0821e383
Change-Id: Ia97c243997ed679d6f6619a165064c6a2ebab932
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.1.x.scc | 1 | ||||
-rw-r--r-- | patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch | 43 |
2 files changed, 44 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index b381b25..8b5a52f 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc | |||
@@ -29,4 +29,5 @@ patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch | |||
29 | patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch | 29 | patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch |
30 | patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch | 30 | patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch |
31 | patch CVE-2017-6346-packet-fix-races-in-fanout_add.patch | 31 | patch CVE-2017-6346-packet-fix-races-in-fanout_add.patch |
32 | patch CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch | ||
32 | 33 | ||
diff --git a/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch b/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch new file mode 100644 index 0000000..5961896 --- /dev/null +++ b/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From 171a957989c4f398adb41078dbfff73b0821e383 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andy Whitcroft <apw@canonical.com> | ||
3 | Date: Thu, 23 Mar 2017 07:45:44 +0000 | ||
4 | Subject: [PATCH] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder | ||
5 | |||
6 | [ Upstream commit f843ee6dd019bcece3e74e76ad9df0155655d0df ] | ||
7 | |||
8 | Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to | ||
9 | wrapping issues. To ensure we are correctly ensuring that the two ESN | ||
10 | structures are the same size compare both the overall size as reported | ||
11 | by xfrm_replay_state_esn_len() and the internal length are the same. | ||
12 | |||
13 | CVE-2017-7184 | ||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | ||
17 | Acked-by: Steffen Klassert <steffen.klassert@secunet.com> | ||
18 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
19 | |||
20 | Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> | ||
21 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
22 | --- | ||
23 | net/xfrm/xfrm_user.c | 6 +++++- | ||
24 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
25 | |||
26 | diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c | ||
27 | index 177cb17..30593ca 100644 | ||
28 | --- a/net/xfrm/xfrm_user.c | ||
29 | +++ b/net/xfrm/xfrm_user.c | ||
30 | @@ -386,7 +386,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es | ||
31 | up = nla_data(rp); | ||
32 | ulen = xfrm_replay_state_esn_len(up); | ||
33 | |||
34 | - if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) | ||
35 | + /* Check the overall length and the internal bitmap length to avoid | ||
36 | + * potential overflow. */ | ||
37 | + if (nla_len(rp) < ulen || | ||
38 | + xfrm_replay_state_esn_len(replay_esn) != ulen || | ||
39 | + replay_esn->bmp_len != up->bmp_len) | ||
40 | return -EINVAL; | ||
41 | |||
42 | if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) | ||
43 | -- | ||