From 199694783798776d8649271fa8fa2c611a536a00 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 10 Aug 2016 13:40:41 +0200 Subject: net-kernel: CVE-2015-8543 Fixes a NULL pointer dereference flaw in the Linux kernel's network subsystem. A local user could use this flaw to crash the system. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8543 Reference to upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=0295617f822f630711f5af03316d3cbda6e737d4 Signen-off-by: Sona Sarmadi Signed-off-by: Martin Borg --- recipes-kernel/linux/files/net-CVE-2015-8543.patch | 142 +++++++++++++++++++++ recipes-kernel/linux/linux-qoriq_3.12.bbappend | 1 + 2 files changed, 143 insertions(+) create mode 100644 recipes-kernel/linux/files/net-CVE-2015-8543.patch diff --git a/recipes-kernel/linux/files/net-CVE-2015-8543.patch b/recipes-kernel/linux/files/net-CVE-2015-8543.patch new file mode 100644 index 0000000..e9e567e --- /dev/null +++ b/recipes-kernel/linux/files/net-CVE-2015-8543.patch @@ -0,0 +1,142 @@ +From 0295617f822f630711f5af03316d3cbda6e737d4 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Mon, 14 Dec 2015 22:03:39 +0100 +Subject: net: add validation for the socket syscall protocol argument + +[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ] + +郭永刚 reported that one could simply crash the kernel as root by +using a simple program: + + int socket_fd; + struct sockaddr_in addr; + addr.sin_port = 0; + addr.sin_addr.s_addr = INADDR_ANY; + addr.sin_family = 10; + + socket_fd = socket(10,3,0x40000000); + connect(socket_fd , &addr,16); + +AF_INET, AF_INET6 sockets actually only support 8-bit protocol +identifiers. inet_sock's skc_protocol field thus is sized accordingly, +thus larger protocol identifiers simply cut off the higher bits and +store a zero in the protocol fields. + +This could lead to e.g. NULL function pointer because as a result of +the cut off inet_num is zero and we call down to inet_autobind, which +is NULL for raw sockets. + +kernel: Call Trace: +kernel: [] ? inet_autobind+0x2e/0x70 +kernel: [] inet_dgram_connect+0x54/0x80 +kernel: [] SYSC_connect+0xd9/0x110 +kernel: [] ? ptrace_notify+0x5b/0x80 +kernel: [] ? syscall_trace_enter_phase2+0x108/0x200 +kernel: [] SyS_connect+0xe/0x10 +kernel: [] tracesys_phase2+0x84/0x89 + +I found no particular commit which introduced this problem. + +CVE: CVE-2015-8543 +Upstream-Status: Backport + +Cc: Cong Wang +Reported-by: 郭永刚 +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +Signed-off-by: Sona Sarmadi +--- + include/net/sock.h | 1 + + net/ax25/af_ax25.c | 3 +++ + net/decnet/af_decnet.c | 3 +++ + net/ipv4/af_inet.c | 3 +++ + net/ipv6/af_inet6.c | 3 +++ + net/irda/af_irda.c | 3 +++ + 6 files changed, 16 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 4d631bd..41d98f1 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -358,6 +358,7 @@ struct sock { + sk_no_check : 2, + sk_userlocks : 4, + sk_protocol : 8, ++#define SK_PROTOCOL_MAX U8_MAX + sk_type : 16; + kmemcheck_bitfield_end(flags); + int sk_wmem_queued; +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 78c474f..c4ee710 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -806,6 +806,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, + struct sock *sk; + ax25_cb *ax25; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c +index dd4d506..c030d5c 100644 +--- a/net/decnet/af_decnet.c ++++ b/net/decnet/af_decnet.c +@@ -677,6 +677,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol, + { + struct sock *sk; + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (!net_eq(net, &init_net)) + return -EAFNOSUPPORT; + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index cfeb85c..09f9c04 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -288,6 +288,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, + if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM) + build_ehash_secret(); + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + sock->state = SS_UNCONNECTED; + + /* Look for the requested type/protocol pair. */ +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index 98e09df..0747e14 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -115,6 +115,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, + !inet_ehash_secret) + build_ehash_secret(); + ++ if (protocol < 0 || protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + /* Look for the requested type/protocol pair. */ + lookup_protocol: + err = -ESOCKTNOSUPPORT; +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index a5e62ef5..f8133ff 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1105,6 +1105,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol, + + IRDA_DEBUG(2, "%s()\n", __func__); + ++ if (protocol < 0 || protocol > SK_PROTOCOL_MAX) ++ return -EINVAL; ++ + if (net != &init_net) + return -EAFNOSUPPORT; + +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index 09a3d77..cc83b93 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend @@ -3,5 +3,6 @@ require recipes-kernel/linux/linux-qoriq-common.inc FILESEXTRAPATHS_prepend := "${THISDIR}/files:" SRC_URI += "file://ppp-CVE-2015-8569.patch \ + file://net-CVE-2015-8543.patch \ " -- cgit v1.2.3-54-g00ecf