From 681524e0001dcc066fc226897c85cc4c7998ac7c Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Wed, 17 Oct 2018 15:23:04 +0200 Subject: xfrm_user: CVE-2017-7184 xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=171a957989c4f398adb41078dbfff73b0821e383 Change-Id: Ia97c243997ed679d6f6619a165064c6a2ebab932 Signed-off-by: Andreas Wellving --- patches/cve/4.1.x.scc | 1 + ...alidate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch | 43 ++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index b381b25..8b5a52f 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc @@ -29,4 +29,5 @@ patch CVE-2018-10675-mm-mempolicy-fix-use-after-free-when-calling-get_mem.patch patch CVE-2017-17805-crypto-salsa20-fix-blkcipher_walk-API-usage.patch patch CVE-2017-17806-crypto-hmac-require-that-the-underlying-hash-algorit.patch patch CVE-2017-6346-packet-fix-races-in-fanout_add.patch +patch CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch diff --git a/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch b/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch new file mode 100644 index 0000000..5961896 --- /dev/null +++ b/patches/cve/CVE-2017-7184-xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch @@ -0,0 +1,43 @@ +From 171a957989c4f398adb41078dbfff73b0821e383 Mon Sep 17 00:00:00 2001 +From: Andy Whitcroft +Date: Thu, 23 Mar 2017 07:45:44 +0000 +Subject: [PATCH] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder + +[ Upstream commit f843ee6dd019bcece3e74e76ad9df0155655d0df ] + +Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to +wrapping issues. To ensure we are correctly ensuring that the two ESN +structures are the same size compare both the overall size as reported +by xfrm_replay_state_esn_len() and the internal length are the same. + +CVE-2017-7184 +Upstream-Status: Backport + +Signed-off-by: Andy Whitcroft +Acked-by: Steffen Klassert +Signed-off-by: Linus Torvalds + +Signed-off-by: Sasha Levin +Signed-off-by: Andreas Wellving +--- + net/xfrm/xfrm_user.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c +index 177cb17..30593ca 100644 +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -386,7 +386,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es + up = nla_data(rp); + ulen = xfrm_replay_state_esn_len(up); + +- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen) ++ /* Check the overall length and the internal bitmap length to avoid ++ * potential overflow. */ ++ if (nla_len(rp) < ulen || ++ xfrm_replay_state_esn_len(replay_esn) != ulen || ++ replay_esn->bmp_len != up->bmp_len) + return -EINVAL; + + if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) +-- -- cgit v1.2.3-54-g00ecf