xfrm_user: CVE-2017-7184

xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=171a957989c4f398adb41078dbfff73b0821e383 Change-Id: Ia97c243997ed679d6f6619a165064c6a2ebab932 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 15:23:04 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-25 13:23:40 +0200
commit: 681524e0001dcc066fc226897c85cc4c7998ac7c (patch)
tree: c99d93290196046478efc8570fd26275b1276129
parent: 24c62aba579409ee500ff06e92b6f6a66add2e21 (diff)
download: enea-kernel-cache-681524e0001dcc066fc226897c85cc4c7998ac7c.tar.gz
2 files changed, 44 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index b381b25..8b5a52f 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -29,4 +29,5 @@ patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
 patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch
 patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch
 patch CVE-2017-6346-packet-fix-races-in-fanout_add.patch
+patch CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
diff --git a/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch b/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
new file mode 100644
index 0000000..5961896
--- /dev/null
+++ b/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
@@ -0,0 +1,43 @@
+From 171a957989c4f398adb41078dbfff73b0821e383 Mon Sep 17 00:00:00 2001
+From: Andy Whitcroft <apw@canonical.com>
+Date: Thu, 23 Mar 2017 07:45:44 +0000
+Subject: [PATCH] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
+[ Upstream commit f843ee6dd019bcece3e74e76ad9df0155655d0df ]
+Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
+wrapping issues.  To ensure we are correctly ensuring that the two ESN
+structures are the same size compare both the overall size as reported
+by xfrm_replay_state_esn_len() and the internal length are the same.
+CVE-2017-7184   
+Upstream-Status: Backport  
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/xfrm/xfrm_user.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 177cb17..30593ca 100644
+--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
+@@ -386,7 +386,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
+        up = nla_data(rp);
+        ulen = xfrm_replay_state_esn_len(up);
+ 
+-       if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
+       /* Check the overall length and the internal bitmap length to avoid
+        * potential overflow. */
+       if (nla_len(rp) < ulen ||
+           xfrm_replay_state_esn_len(replay_esn) != ulen ||
+           replay_esn->bmp_len != up->bmp_len)
+                return -EINVAL;
+ 
+        if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
+--
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 15:23:04 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-25 13:23:40 +0200
commit	681524e0001dcc066fc226897c85cc4c7998ac7c (patch)
tree	c99d93290196046478efc8570fd26275b1276129
parent	24c62aba579409ee500ff06e92b6f6a66add2e21 (diff)
download	enea-kernel-cache-681524e0001dcc066fc226897c85cc4c7998ac7c.tar.gz

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index b381b25..8b5a52f 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc
@@ -29,4 +29,5 @@ patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch
29	patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch	29	patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch
30	patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch	30	patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch
31	patch CVE-2017-6346-packet-fix-races-in-fanout_add.patch	31	patch CVE-2017-6346-packet-fix-races-in-fanout_add.patch
		32	patch CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
32		33


diff --git a/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch b/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch new file mode 100644 index 0000000..5961896 --- /dev/null +++ b/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
@@ -0,0 +1,43 @@
		1	From 171a957989c4f398adb41078dbfff73b0821e383 Mon Sep 17 00:00:00 2001
		2	From: Andy Whitcroft <apw@canonical.com>
		3	Date: Thu, 23 Mar 2017 07:45:44 +0000
		4	Subject: [PATCH] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
		5
		6	[ Upstream commit f843ee6dd019bcece3e74e76ad9df0155655d0df ]
		7
		8	Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
		9	wrapping issues. To ensure we are correctly ensuring that the two ESN
		10	structures are the same size compare both the overall size as reported
		11	by xfrm_replay_state_esn_len() and the internal length are the same.
		12
		13	CVE-2017-7184
		14	Upstream-Status: Backport
		15
		16	Signed-off-by: Andy Whitcroft <apw@canonical.com>
		17	Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
		18	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		19
		20	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
		21	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		22	---
		23	net/xfrm/xfrm_user.c \| 6 +++++-
		24	1 file changed, 5 insertions(+), 1 deletion(-)
		25
		26	diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
		27	index 177cb17..30593ca 100644
		28	--- a/net/xfrm/xfrm_user.c
		29	+++ b/net/xfrm/xfrm_user.c
		30	@@ -386,7 +386,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
		31	up = nla_data(rp);
		32	ulen = xfrm_replay_state_esn_len(up);
		33
		34	- if (nla_len(rp) < ulen \|\| xfrm_replay_state_esn_len(replay_esn) != ulen)
		35	+ /* Check the overall length and the internal bitmap length to avoid
		36	+ * potential overflow. */
		37	+ if (nla_len(rp) < ulen \|\|
		38	+ xfrm_replay_state_esn_len(replay_esn) != ulen \|\|
		39	+ replay_esn->bmp_len != up->bmp_len)
		40	return -EINVAL;
		41
		42	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
		43	--