add fix for CVE-2017-9074 fix
This commit is contained in:
Fabian Grünbichler
parent
c7f85f2701
commit
c1f358be22
@ -0,0 +1,96 @@
|
|||||||
|
From 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "David S. Miller" <davem@davemloft.net>
|
||||||
|
Date: Wed, 17 May 2017 22:54:11 -0400
|
||||||
|
Subject: [PATCH] ipv6: Check ip6_find_1stfragopt() return value properly.
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Do not use unsigned variables to see if it returns a negative
|
||||||
|
error or not.
|
||||||
|
|
||||||
|
Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
|
||||||
|
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
||||||
|
---
|
||||||
|
net/ipv6/ip6_offload.c | 9 ++++-----
|
||||||
|
net/ipv6/ip6_output.c | 7 +++----
|
||||||
|
net/ipv6/udp_offload.c | 8 +++++---
|
||||||
|
3 files changed, 12 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
|
||||||
|
index eab36abc9f22..280268f1dd7b 100644
|
||||||
|
--- a/net/ipv6/ip6_offload.c
|
||||||
|
+++ b/net/ipv6/ip6_offload.c
|
||||||
|
@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
|
||||||
|
const struct net_offload *ops;
|
||||||
|
int proto;
|
||||||
|
struct frag_hdr *fptr;
|
||||||
|
- unsigned int unfrag_ip6hlen;
|
||||||
|
unsigned int payload_len;
|
||||||
|
u8 *prevhdr;
|
||||||
|
int offset = 0;
|
||||||
|
@@ -116,10 +115,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
|
||||||
|
skb->network_header = (u8 *)ipv6h - skb->head;
|
||||||
|
|
||||||
|
if (udpfrag) {
|
||||||
|
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
|
||||||
|
- if (unfrag_ip6hlen < 0)
|
||||||
|
- return ERR_PTR(unfrag_ip6hlen);
|
||||||
|
- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
|
||||||
|
+ int err = ip6_find_1stfragopt(skb, &prevhdr);
|
||||||
|
+ if (err < 0)
|
||||||
|
+ return ERR_PTR(err);
|
||||||
|
+ fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
|
||||||
|
fptr->frag_off = htons(offset);
|
||||||
|
if (skb->next)
|
||||||
|
fptr->frag_off |= htons(IP6_MF);
|
||||||
|
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
|
||||||
|
index 01deecda2f84..d4a31becbd25 100644
|
||||||
|
--- a/net/ipv6/ip6_output.c
|
||||||
|
+++ b/net/ipv6/ip6_output.c
|
||||||
|
@@ -597,11 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
|
||||||
|
int ptr, offset = 0, err = 0;
|
||||||
|
u8 *prevhdr, nexthdr = 0;
|
||||||
|
|
||||||
|
- hlen = ip6_find_1stfragopt(skb, &prevhdr);
|
||||||
|
- if (hlen < 0) {
|
||||||
|
- err = hlen;
|
||||||
|
+ err = ip6_find_1stfragopt(skb, &prevhdr);
|
||||||
|
+ if (err < 0)
|
||||||
|
goto fail;
|
||||||
|
- }
|
||||||
|
+ hlen = err;
|
||||||
|
nexthdr = *prevhdr;
|
||||||
|
|
||||||
|
mtu = ip6_skb_dst_mtu(skb);
|
||||||
|
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
|
||||||
|
index b348cff47395..a2267f80febb 100644
|
||||||
|
--- a/net/ipv6/udp_offload.c
|
||||||
|
+++ b/net/ipv6/udp_offload.c
|
||||||
|
@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
|
||||||
|
u8 frag_hdr_sz = sizeof(struct frag_hdr);
|
||||||
|
__wsum csum;
|
||||||
|
int tnl_hlen;
|
||||||
|
+ int err;
|
||||||
|
|
||||||
|
mss = skb_shinfo(skb)->gso_size;
|
||||||
|
if (unlikely(skb->len <= mss))
|
||||||
|
@@ -90,9 +91,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
|
||||||
|
/* Find the unfragmentable header and shift it left by frag_hdr_sz
|
||||||
|
* bytes to insert fragment header.
|
||||||
|
*/
|
||||||
|
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
|
||||||
|
- if (unfrag_ip6hlen < 0)
|
||||||
|
- return ERR_PTR(unfrag_ip6hlen);
|
||||||
|
+ err = ip6_find_1stfragopt(skb, &prevhdr);
|
||||||
|
+ if (err < 0)
|
||||||
|
+ return ERR_PTR(err);
|
||||||
|
+ unfrag_ip6hlen = err;
|
||||||
|
nexthdr = *prevhdr;
|
||||||
|
*prevhdr = NEXTHDR_FRAGMENT;
|
||||||
|
unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
||||||
1
Makefile
1
Makefile
@ -237,6 +237,7 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNEL_SRC_SUBMODULE} | submodules
|
|||||||
cd ${KERNEL_SRC}; patch -p1 < ../0001-netfilter-nft_set_rbtree-handle-re-addition-element-.patch # DoS from within (unpriv) containers
|
cd ${KERNEL_SRC}; patch -p1 < ../0001-netfilter-nft_set_rbtree-handle-re-addition-element-.patch # DoS from within (unpriv) containers
|
||||||
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-8890-dccp-tcp-do-not-inherit-mc_list-from-parent.patch
|
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-8890-dccp-tcp-do-not-inherit-mc_list-from-parent.patch
|
||||||
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9074-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch
|
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9074-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch
|
||||||
|
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9074-2-ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch
|
||||||
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9075-sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
|
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9075-sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
|
||||||
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9076_9077-ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
|
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9076_9077-ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
|
||||||
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9242-ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
|
cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9242-ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user