diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-12 08:07:26 +0200 |
|---|---|---|
| committer | Adrian Dudau <Adrian.Dudau@enea.com> | 2018-10-12 14:07:52 +0200 |
| commit | 881dab83a4597d7c0e7ca75ccee3d8038ac1b31d (patch) | |
| tree | 0e16dc7330a9b01f40370ac7e306225957c542f7 | |
| parent | ef996871247bfa6a05578a1d33eb466d6f7c149f (diff) | |
| download | enea-kernel-cache-881dab83a4597d7c0e7ca75ccee3d8038ac1b31d.tar.gz | |
Cipso: CVE-2018-10938
Cipso: cipso_v4_optptr enter infinite loop
References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=40413955ee265a5e42f710940ec78f5450d49149
Change-Id: I2ddd252e706cc611c1b62175c1bd6ea1874a7974
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
| -rw-r--r-- | patches/cve/4.9.x.scc | 3 | ||||
| -rw-r--r-- | patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch | 47 |
2 files changed, 50 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index a296f8e..eef4955 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
| @@ -9,3 +9,6 @@ patch CVE-2018-15572-x86-speculation-Protect-against-userspace-userspace-.patch | |||
| 9 | 9 | ||
| 10 | #CVEs fixed in 4.9.121: | 10 | #CVEs fixed in 4.9.121: |
| 11 | patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch | 11 | patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch |
| 12 | |||
| 13 | #CVEs fixed in 4.9.125: | ||
| 14 | patch CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch | ||
diff --git a/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch new file mode 100644 index 0000000..68a5d28 --- /dev/null +++ b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | From 40413955ee265a5e42f710940ec78f5450d49149 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "yujuan.qi" <yujuan.qi@mediatek.com> | ||
| 3 | Date: Mon, 31 Jul 2017 11:23:01 +0800 | ||
| 4 | Subject: [PATCH] Cipso: cipso_v4_optptr enter infinite loop | ||
| 5 | |||
| 6 | in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop. | ||
| 7 | |||
| 8 | Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue | ||
| 9 | |||
| 10 | CVE: CVE-2018-10938 | ||
| 11 | Upstream-Status: Backport | ||
| 12 | |||
| 13 | Signed-off-by: yujuan.qi <yujuan.qi@mediatek.com> | ||
| 14 | Acked-by: Paul Moore <paul@paul-moore.com> | ||
| 15 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 16 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 17 | --- | ||
| 18 | net/ipv4/cipso_ipv4.c | 12 ++++++++++-- | ||
| 19 | 1 file changed, 10 insertions(+), 2 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c | ||
| 22 | index c4c6e19..2ae8f54 100644 | ||
| 23 | --- a/net/ipv4/cipso_ipv4.c | ||
| 24 | +++ b/net/ipv4/cipso_ipv4.c | ||
| 25 | @@ -1523,9 +1523,17 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb) | ||
| 26 | int taglen; | ||
| 27 | |||
| 28 | for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) { | ||
| 29 | - if (optptr[0] == IPOPT_CIPSO) | ||
| 30 | + switch (optptr[0]) { | ||
| 31 | + case IPOPT_CIPSO: | ||
| 32 | return optptr; | ||
| 33 | - taglen = optptr[1]; | ||
| 34 | + case IPOPT_END: | ||
| 35 | + return NULL; | ||
| 36 | + case IPOPT_NOOP: | ||
| 37 | + taglen = 1; | ||
| 38 | + break; | ||
| 39 | + default: | ||
| 40 | + taglen = optptr[1]; | ||
| 41 | + } | ||
| 42 | optlen -= taglen; | ||
| 43 | optptr += taglen; | ||
| 44 | } | ||
| 45 | -- | ||
| 46 | 2.7.4 | ||
| 47 | |||
