From 7f0f6370beebc3ebc80dc784c06e88315eb9db88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Fri, 5 May 2017 09:06:13 +0200 Subject: [PATCH] update fix for CVE-2017-7979 to final version cherry-picked from Ubuntu Zesty's master-next --- ...ons-fix-access-to-uninitialized-data.patch | 33 ---- ...ns-decrement-module-refcount-earlier.patch | 67 --------- ...ched-nla_memdup_cookie-can-be-static.patch | 42 ++++++ ...ed-actions-allocate-act-cookie-early.patch | 142 ++++++++++++++++++ Makefile | 4 +- 5 files changed, 186 insertions(+), 102 deletions(-) delete mode 100644 0001-net-sched-actions-fix-access-to-uninitialized-data.patch delete mode 100644 0002-net-sched-actions-decrement-module-refcount-earlier.patch create mode 100644 CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch create mode 100644 CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch diff --git a/0001-net-sched-actions-fix-access-to-uninitialized-data.patch b/0001-net-sched-actions-fix-access-to-uninitialized-data.patch deleted file mode 100644 index ed0d782..0000000 --- a/0001-net-sched-actions-fix-access-to-uninitialized-data.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 45f4251eac81036e2532b16d13f1ad421813eca9 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Thu, 13 Apr 2017 10:13:31 +0200 -Subject: [Zesty][PATCH 1/2] UBUNTU: SAUCE: net sched actions: fix access to uninitialized data -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368 - -Signed-off-by: Wolfgang Bumiller -(cherry-picked from http://marc.info/?l=linux-netdev&m=149200746116365 ) -Signed-off-by: Fabian Grünbichler ---- - net/sched/act_api.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/sched/act_api.c b/net/sched/act_api.c -index 501c42d..32f12f5 100644 ---- a/net/sched/act_api.c -+++ b/net/sched/act_api.c -@@ -607,7 +607,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla, - if (err < 0) - goto err_mod; - -- if (tb[TCA_ACT_COOKIE]) { -+ if (name == NULL && tb[TCA_ACT_COOKIE]) { - int cklen = nla_len(tb[TCA_ACT_COOKIE]); - - if (cklen > TC_COOKIE_MAX_SIZE) { --- -2.1.4 - diff --git a/0002-net-sched-actions-decrement-module-refcount-earlier.patch b/0002-net-sched-actions-decrement-module-refcount-earlier.patch deleted file mode 100644 index 75bcb7b..0000000 --- a/0002-net-sched-actions-decrement-module-refcount-earlier.patch +++ /dev/null @@ -1,67 +0,0 @@ -From b3c6f3b25edface1ece9b30aa1fe5d6f9abae098 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Thu, 13 Apr 2017 10:13:32 +0200 -Subject: [Zesty][PATCH 2/2] UBUNTU: SAUCE: net sched actions: decrement module refcount earlier -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368 - -Whether the reference count has to be decremented depends -on whether the policy was created. If TCA_ACT_COOKIE is -passed and an error occurs there, the same condition still -has to be honored. - -Signed-off-by: Wolfgang Bumiller -(cherry-picked from http://marc.info/?l=linux-netdev&m=149200742616349) -Signed-off-by: Fabian Grünbichler ---- - net/sched/act_api.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/net/sched/act_api.c b/net/sched/act_api.c -index 32f12f5..07068ca 100644 ---- a/net/sched/act_api.c -+++ b/net/sched/act_api.c -@@ -607,28 +607,29 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla, - if (err < 0) - goto err_mod; - -+ /* module count goes up only when brand new policy is created -+ * if it exists and is only bound to in a_o->init() then -+ * ACT_P_CREATED is not returned (a zero is). -+ */ -+ if (err != ACT_P_CREATED) -+ module_put(a_o->owner); -+ - if (name == NULL && tb[TCA_ACT_COOKIE]) { - int cklen = nla_len(tb[TCA_ACT_COOKIE]); - - if (cklen > TC_COOKIE_MAX_SIZE) { - err = -EINVAL; - tcf_hash_release(a, bind); -- goto err_mod; -+ goto err_out; - } - - if (nla_memdup_cookie(a, tb) < 0) { - err = -ENOMEM; - tcf_hash_release(a, bind); -- goto err_mod; -+ goto err_out; - } - } - -- /* module count goes up only when brand new policy is created -- * if it exists and is only bound to in a_o->init() then -- * ACT_P_CREATED is not returned (a zero is). -- */ -- if (err != ACT_P_CREATED) -- module_put(a_o->owner); - - return a; - --- -2.1.4 - diff --git a/CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch b/CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch new file mode 100644 index 0000000..6400aae --- /dev/null +++ b/CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch @@ -0,0 +1,42 @@ +From e18cf144f49054fa79d43689accdd2766618953d Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Mon, 24 Apr 2017 16:26:00 +0200 +Subject: [PATCH 1/2] net_sched: nla_memdup_cookie() can be static +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368 + +Fixes the following sparse warning: + +net/sched/act_api.c:532:5: warning: + symbol 'nla_memdup_cookie' was not declared. Should it be static? + +Signed-off-by: Wei Yongjun +Signed-off-by: David S. Miller +(cherry picked from commit 6f2e3f7d9785dacb358b48b44950182b5c13e4bc) +Signed-off-by: Fabian Grünbichler +Acked-by: Kamal Mostafa +Acked-by: Seth Forshee +Signed-off-by: Stefan Bader +--- + net/sched/act_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/act_api.c b/net/sched/act_api.c +index 501c42d..e336f30 100644 +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -532,7 +532,7 @@ int tcf_action_dump(struct sk_buff *skb, struct list_head *actions, + return err; + } + +-int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb) ++static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb) + { + a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL); + if (!a->act_cookie) +-- +2.1.4 + diff --git a/CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch b/CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch new file mode 100644 index 0000000..7ba37e1 --- /dev/null +++ b/CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch @@ -0,0 +1,142 @@ +From 3fe083491bf6c688d34c6e300f14d775a5b8a443 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Mon, 24 Apr 2017 16:26:00 +0200 +Subject: [PATCH 2/2] net sched actions: allocate act cookie early +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368 + +Policing filters do not use the TCA_ACT_* enum and the tb[] +nlattr array in tcf_action_init_1() doesn't get filled for +them so we should not try to look for a TCA_ACT_COOKIE +attribute in the then uninitialized array. +The error handling in cookie allocation then calls +tcf_hash_release() leading to invalid memory access later +on. +Additionally, if cookie allocation fails after an already +existing non-policing filter has successfully been changed, +tcf_action_release() should not be called, also we would +have to roll back the changes in the error handling, so +instead we now allocate the cookie early and assign it on +success at the end. + +CVE-2017-7979 +Fixes: 1045ba77a596 ("net sched actions: Add support for user cookies") +Signed-off-by: Wolfgang Bumiller +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +(cherry picked from commit e0535ce58b92d7baf0b33284a6c4f8f0338f943e) +Signed-off-by: Fabian Grünbichler +Acked-by: Kamal Mostafa +Acked-by: Seth Forshee +Signed-off-by: Stefan Bader + +Signed-off-by: Fabian Grünbichler +--- + net/sched/act_api.c | 55 +++++++++++++++++++++++++++++++---------------------- + 1 file changed, 32 insertions(+), 23 deletions(-) + +diff --git a/net/sched/act_api.c b/net/sched/act_api.c +index e336f30..bdbc7a9 100644 +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -532,20 +532,20 @@ int tcf_action_dump(struct sk_buff *skb, struct list_head *actions, + return err; + } + +-static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb) ++static struct tc_cookie *nla_memdup_cookie(struct nlattr **tb) + { +- a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL); +- if (!a->act_cookie) +- return -ENOMEM; ++ struct tc_cookie *c = kzalloc(sizeof(*c), GFP_KERNEL); ++ if (!c) ++ return NULL; + +- a->act_cookie->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL); +- if (!a->act_cookie->data) { +- kfree(a->act_cookie); +- return -ENOMEM; ++ c->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL); ++ if (!c->data) { ++ kfree(c); ++ return NULL; + } +- a->act_cookie->len = nla_len(tb[TCA_ACT_COOKIE]); ++ c->len = nla_len(tb[TCA_ACT_COOKIE]); + +- return 0; ++ return c; + } + + struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla, +@@ -554,6 +554,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla, + { + struct tc_action *a; + struct tc_action_ops *a_o; ++ struct tc_cookie *cookie = NULL; + char act_name[IFNAMSIZ]; + struct nlattr *tb[TCA_ACT_MAX + 1]; + struct nlattr *kind; +@@ -569,6 +570,18 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla, + goto err_out; + if (nla_strlcpy(act_name, kind, IFNAMSIZ) >= IFNAMSIZ) + goto err_out; ++ if (tb[TCA_ACT_COOKIE]) { ++ int cklen = nla_len(tb[TCA_ACT_COOKIE]); ++ ++ if (cklen > TC_COOKIE_MAX_SIZE) ++ goto err_out; ++ ++ cookie = nla_memdup_cookie(tb); ++ if (!cookie) { ++ err = -ENOMEM; ++ goto err_out; ++ } ++ } + } else { + err = -EINVAL; + if (strlcpy(act_name, name, IFNAMSIZ) >= IFNAMSIZ) +@@ -607,20 +620,12 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla, + if (err < 0) + goto err_mod; + +- if (tb[TCA_ACT_COOKIE]) { +- int cklen = nla_len(tb[TCA_ACT_COOKIE]); +- +- if (cklen > TC_COOKIE_MAX_SIZE) { +- err = -EINVAL; +- tcf_hash_release(a, bind); +- goto err_mod; +- } +- +- if (nla_memdup_cookie(a, tb) < 0) { +- err = -ENOMEM; +- tcf_hash_release(a, bind); +- goto err_mod; ++ if (name == NULL && tb[TCA_ACT_COOKIE]) { ++ if (a->act_cookie) { ++ kfree(a->act_cookie->data); ++ kfree(a->act_cookie); + } ++ a->act_cookie = cookie; + } + + /* module count goes up only when brand new policy is created +@@ -635,6 +640,10 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla, + err_mod: + module_put(a_o->owner); + err_out: ++ if (cookie) { ++ kfree(cookie->data); ++ kfree(cookie); ++ } + return ERR_PTR(err); + } + +-- +2.1.4 + diff --git a/Makefile b/Makefile index 2deadfa..57a92c5 100644 --- a/Makefile +++ b/Makefile @@ -227,8 +227,8 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNEL_SRC_SUBMODULE} | submodules cd ${KERNEL_SRC}; patch -p1 < ../cgroup-cpuset-add-cpuset.remap_cpus.patch cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch cd ${KERNEL_SRC}; patch -p1 < ../openvswitch-Set-internal-device-max-mtu-to-ETH_MAX_M.patch - cd ${KERNEL_SRC}; patch -p1 < ../0001-net-sched-actions-fix-access-to-uninitialized-data.patch - cd ${KERNEL_SRC}; patch -p1 < ../0002-net-sched-actions-decrement-module-refcount-earlier.patch + cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch + cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/' touch $@