diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-17 15:28:13 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-25 13:25:19 +0200 |
commit | ac8dc20157f32d100cda9f7bb5d73eeea67fd0a1 (patch) | |
tree | 00cda08ea01476810d8bc18679da20f68a72ddfa | |
parent | a0c8087aaa1aca3797247937d559ede5c3181772 (diff) | |
download | enea-kernel-cache-ac8dc20157f32d100cda9f7bb5d73eeea67fd0a1.tar.gz |
net: CVE-2016-9793
net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=f99fb439e6aff4e9f8b91a80d48b2a2d97aa2248
Change-Id: Idb0b4aa03389ed4bc6385a32bef14211bca809f9
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.1.x.scc | 4 | ||||
-rw-r--r-- | patches/cve/CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch | 56 |
2 files changed, 60 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 47341b8..3d8e1ae 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc | |||
@@ -33,4 +33,8 @@ patch CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch | |||
33 | 33 | ||
34 | #fixed in 4.1.50 | 34 | #fixed in 4.1.50 |
35 | patch CVE-2016-10318-fscrypto-add-authorization-check-for-setting-encrypt.patch | 35 | patch CVE-2016-10318-fscrypto-add-authorization-check-for-setting-encrypt.patch |
36 | patch CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch | ||
37 | |||
38 | |||
39 | |||
36 | 40 | ||
diff --git a/patches/cve/CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch b/patches/cve/CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch new file mode 100644 index 0000000..5329cc7 --- /dev/null +++ b/patches/cve/CVE-2016-9793-net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From f99fb439e6aff4e9f8b91a80d48b2a2d97aa2248 Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Dumazet <edumazet@google.com> | ||
3 | Date: Fri, 2 Dec 2016 09:44:53 -0800 | ||
4 | Subject: [PATCH] net: avoid signed overflows for SO_{SND|RCV}BUFFORCE | ||
5 | |||
6 | [ Upstream commit b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 ] | ||
7 | |||
8 | CAP_NET_ADMIN users should not be allowed to set negative | ||
9 | sk_sndbuf or sk_rcvbuf values, as it can lead to various memory | ||
10 | corruptions, crashes, OOM... | ||
11 | |||
12 | Note that before commit 82981930125a ("net: cleanups in | ||
13 | sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF | ||
14 | and SO_RCVBUF were vulnerable. | ||
15 | |||
16 | This needs to be backported to all known linux kernels. | ||
17 | |||
18 | Again, many thanks to syzkaller team for discovering this gem. | ||
19 | |||
20 | CVE: CVE-2016-9793 | ||
21 | Upstream-Status: Backport | ||
22 | |||
23 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
24 | Reported-by: Andrey Konovalov <andreyknvl@google.com> | ||
25 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
26 | Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> | ||
27 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
28 | --- | ||
29 | net/core/sock.c | 4 ++-- | ||
30 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
31 | |||
32 | diff --git a/net/core/sock.c b/net/core/sock.c | ||
33 | index 76e0b87..7697148 100644 | ||
34 | --- a/net/core/sock.c | ||
35 | +++ b/net/core/sock.c | ||
36 | @@ -729,7 +729,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, | ||
37 | val = min_t(u32, val, sysctl_wmem_max); | ||
38 | set_sndbuf: | ||
39 | sk->sk_userlocks |= SOCK_SNDBUF_LOCK; | ||
40 | - sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF); | ||
41 | + sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF); | ||
42 | /* Wake up sending tasks if we upped the value. */ | ||
43 | sk->sk_write_space(sk); | ||
44 | break; | ||
45 | @@ -765,7 +765,7 @@ set_rcvbuf: | ||
46 | * returning the value we actually used in getsockopt | ||
47 | * is the most desirable behavior. | ||
48 | */ | ||
49 | - sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF); | ||
50 | + sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF); | ||
51 | break; | ||
52 | |||
53 | case SO_RCVBUFFORCE: | ||
54 | -- | ||
55 | 2.7.4 | ||
56 | |||