summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Wellving <andreas.wellving@enea.com>2018-10-17 15:06:22 +0200
committerAndreas Wellving <andreas.wellving@enea.com>2018-10-25 13:17:09 +0200
commit7b270f1e59dd4bf0eb91eb9c8955afa51a3deee7 (patch)
treeff19e0680f1b130614bc56ef3cbc028eed581e19
parenta6b0b1077b78acbeb4766ccf1a742efa59d6312e (diff)
downloadenea-kernel-cache-7b270f1e59dd4bf0eb91eb9c8955afa51a3deee7.tar.gz
netfilter: CVE-2017-18017
netfilter: xt_TCPMSS: add more sanity tests on tcph->doff References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=a7776b8815a90da464f045f7c24d9565ae9f1963 Change-Id: Idc3d6b7706a6c06a4e62c5ebeed762d7879ba1bc Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Diffstat
-rw-r--r--patches/cve/4.1.x.scc4
-rw-r--r--patches/cve/CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch53
2 files changed, 57 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 341f0f2..60a7c67 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -15,3 +15,7 @@ patch CVE-2017-7308-net-packet-fix-overflow-in-check-for-priv-area-size.patch
15 15
16#fixed in 4.1.42 16#fixed in 4.1.42
17patch CVE-2017-9074-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch 17patch CVE-2017-9074-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch
18
19#fixed in 4.1.43
20patch CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
21
diff --git a/patches/cve/CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch b/patches/cve/CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
new file mode 100644
index 0000000..14d85d7
--- /dev/null
+++ b/patches/cve/CVE-2017-18017-netfilter-xt_TCPMSS-add-more-sanity-tests-on-tcph-do.patch
@@ -0,0 +1,53 @@
1From a7776b8815a90da464f045f7c24d9565ae9f1963 Mon Sep 17 00:00:00 2001
2From: Eric Dumazet <edumazet@google.com>
3Date: Mon, 3 Apr 2017 10:55:11 -0700
4Subject: [PATCH] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
5
6[ Upstream commit 2638fd0f92d4397884fd991d8f4925cb3f081901 ]
7
8Denys provided an awesome KASAN report pointing to an use
9after free in xt_TCPMSS
10
11I have provided three patches to fix this issue, either in xt_TCPMSS or
12in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
13impact.
14
15CVE: CVE-2017-18017
16Upstream-Status: Backport
17
18Signed-off-by: Eric Dumazet <edumazet@google.com>
19Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
20Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
21Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
22Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
23---
24 net/netfilter/xt_TCPMSS.c | 6 +++++-
25 1 file changed, 5 insertions(+), 1 deletion(-)
26
27diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
28index e762de5..6531d703 100644
29--- a/net/netfilter/xt_TCPMSS.c
30+++ b/net/netfilter/xt_TCPMSS.c
31@@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
32 tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
33 tcp_hdrlen = tcph->doff * 4;
34
35- if (len < tcp_hdrlen)
36+ if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
37 return -1;
38
39 if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
40@@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
41 if (len > tcp_hdrlen)
42 return 0;
43
44+ /* tcph->doff has 4 bits, do not wrap it to 0 */
45+ if (tcp_hdrlen >= 15 * 4)
46+ return 0;
47+
48 /*
49 * MSS Option not found ?! add it..
50 */
51--
522.7.4
53
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-06 05:14:48 +0000