update fix for CVE-2017-7979 to final version

cherry-picked from Ubuntu Zesty's master-next
2017-05-05 09:06:13 +02:00 · 2017-05-05 09:06:13 +02:00 · 7f0f6370be
commit 7f0f6370be
parent 95cebd4144
5 changed files with 186 additions and 102 deletions
--- a/0001-net-sched-actions-fix-access-to-uninitialized-data.patch
+++ b/0001-net-sched-actions-fix-access-to-uninitialized-data.patch
@ -1,33 +0,0 @@
 From 45f4251eac81036e2532b16d13f1ad421813eca9 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Thu, 13 Apr 2017 10:13:31 +0200
 Subject: [Zesty][PATCH 1/2] UBUNTU: SAUCE: net sched actions: fix access to uninitialized data
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 (cherry-picked from http://marc.info/?l=linux-netdev&m=149200746116365 )
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 ---
 net/sched/act_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/net/sched/act_api.c b/net/sched/act_api.c
 index 501c42d..32f12f5 100644
 --- a/net/sched/act_api.c
 +++ b/net/sched/act_api.c
@@ -607,7 +607,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
 	if (err < 0)
 		goto err_mod;
 -	if (tb[TCA_ACT_COOKIE]) {
 +	if (name == NULL && tb[TCA_ACT_COOKIE]) {
 		int cklen = nla_len(tb[TCA_ACT_COOKIE]);
 		if (cklen > TC_COOKIE_MAX_SIZE) {
 -- 
 2.1.4
--- a/0002-net-sched-actions-decrement-module-refcount-earlier.patch
+++ b/0002-net-sched-actions-decrement-module-refcount-earlier.patch
@ -1,67 +0,0 @@
 From b3c6f3b25edface1ece9b30aa1fe5d6f9abae098 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Thu, 13 Apr 2017 10:13:32 +0200
 Subject: [Zesty][PATCH 2/2] UBUNTU: SAUCE: net sched actions: decrement module refcount earlier
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
 Whether the reference count has to be decremented depends
 on whether the policy was created. If TCA_ACT_COOKIE is
 passed and an error occurs there, the same condition still
 has to be honored.
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 (cherry-picked from http://marc.info/?l=linux-netdev&m=149200742616349)
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 ---
 net/sched/act_api.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)
 diff --git a/net/sched/act_api.c b/net/sched/act_api.c
 index 32f12f5..07068ca 100644
 --- a/net/sched/act_api.c
 +++ b/net/sched/act_api.c
@@ -607,28 +607,29 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
 	if (err < 0)
 		goto err_mod;
 +	/* module count goes up only when brand new policy is created
 +	 * if it exists and is only bound to in a_o->init() then
 +	 * ACT_P_CREATED is not returned (a zero is).
 +	 */
 +	if (err != ACT_P_CREATED)
 +		module_put(a_o->owner);
 +
 	if (name == NULL && tb[TCA_ACT_COOKIE]) {
 		int cklen = nla_len(tb[TCA_ACT_COOKIE]);
 		if (cklen > TC_COOKIE_MAX_SIZE) {
 			err = -EINVAL;
 			tcf_hash_release(a, bind);
 -			goto err_mod;
 +			goto err_out;
 		}
 		if (nla_memdup_cookie(a, tb) < 0) {
 			err = -ENOMEM;
 			tcf_hash_release(a, bind);
 -			goto err_mod;
 +			goto err_out;
 		}
 	}
 -	/* module count goes up only when brand new policy is created
 -	 * if it exists and is only bound to in a_o->init() then
 -	 * ACT_P_CREATED is not returned (a zero is).
 -	 */
 -	if (err != ACT_P_CREATED)
 -		module_put(a_o->owner);
 	return a;
 -- 
 2.1.4
--- a/CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch
+++ b/CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch
@ -0,0 +1,42 @@
 From e18cf144f49054fa79d43689accdd2766618953d Mon Sep 17 00:00:00 2001
 From: Wei Yongjun <weiyongjun1@huawei.com>
 Date: Mon, 24 Apr 2017 16:26:00 +0200
 Subject: [PATCH 1/2] net_sched: nla_memdup_cookie() can be static
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
 Fixes the following sparse warning:
 net/sched/act_api.c:532:5: warning:
 symbol 'nla_memdup_cookie' was not declared. Should it be static?
 Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 (cherry picked from commit 6f2e3f7d9785dacb358b48b44950182b5c13e4bc)
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Acked-by: Kamal Mostafa <kamal@canonical.com>
 Acked-by: Seth Forshee <seth.forshee@canonical.com>
 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
 ---
 net/sched/act_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/net/sched/act_api.c b/net/sched/act_api.c
 index 501c42d..e336f30 100644
 --- a/net/sched/act_api.c
 +++ b/net/sched/act_api.c
@@ -532,7 +532,7 @@ int tcf_action_dump(struct sk_buff *skb, struct list_head *actions,
 	return err;
 }
 -int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
 +static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
 {
 	a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
 	if (!a->act_cookie)
 -- 
 2.1.4
--- a/CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch
+++ b/CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch
@ -0,0 +1,142 @@
 From 3fe083491bf6c688d34c6e300f14d775a5b8a443 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Mon, 24 Apr 2017 16:26:00 +0200
 Subject: [PATCH 2/2] net sched actions: allocate act cookie early
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1682368
 Policing filters do not use the TCA_ACT_* enum and the tb[]
 nlattr array in tcf_action_init_1() doesn't get filled for
 them so we should not try to look for a TCA_ACT_COOKIE
 attribute in the then uninitialized array.
 The error handling in cookie allocation then calls
 tcf_hash_release() leading to invalid memory access later
 on.
 Additionally, if cookie allocation fails after an already
 existing non-policing filter has successfully been changed,
 tcf_action_release() should not be called, also we would
 have to roll back the changes in the error handling, so
 instead we now allocate the cookie early and assign it on
 success at the end.
 CVE-2017-7979
 Fixes: 1045ba77a596 ("net sched actions: Add support for user cookies")
 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 (cherry picked from commit e0535ce58b92d7baf0b33284a6c4f8f0338f943e)
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 Acked-by: Kamal Mostafa <kamal@canonical.com>
 Acked-by: Seth Forshee <seth.forshee@canonical.com>
 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 ---
 net/sched/act_api.c | 55 +++++++++++++++++++++++++++++++----------------------
 1 file changed, 32 insertions(+), 23 deletions(-)
 diff --git a/net/sched/act_api.c b/net/sched/act_api.c
 index e336f30..bdbc7a9 100644
 --- a/net/sched/act_api.c
 +++ b/net/sched/act_api.c
@@ -532,20 +532,20 @@ int tcf_action_dump(struct sk_buff *skb, struct list_head *actions,
 	return err;
 }
 -static int nla_memdup_cookie(struct tc_action *a, struct nlattr **tb)
 +static struct tc_cookie *nla_memdup_cookie(struct nlattr **tb)
 {
 -	a->act_cookie = kzalloc(sizeof(*a->act_cookie), GFP_KERNEL);
 -	if (!a->act_cookie)
 -		return -ENOMEM;
 +	struct tc_cookie *c = kzalloc(sizeof(*c), GFP_KERNEL);
 +	if (!c)
 +		return NULL;
 -	a->act_cookie->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
 -	if (!a->act_cookie->data) {
 -		kfree(a->act_cookie);
 -		return -ENOMEM;
 +	c->data = nla_memdup(tb[TCA_ACT_COOKIE], GFP_KERNEL);
 +	if (!c->data) {
 +		kfree(c);
 +		return NULL;
 	}
 -	a->act_cookie->len = nla_len(tb[TCA_ACT_COOKIE]);
 +	c->len = nla_len(tb[TCA_ACT_COOKIE]);
 -	return 0;
 +	return c;
 }
 struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
@@ -554,6 +554,7 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
 {
 	struct tc_action *a;
 	struct tc_action_ops *a_o;
 +	struct tc_cookie *cookie = NULL;
 	char act_name[IFNAMSIZ];
 	struct nlattr *tb[TCA_ACT_MAX + 1];
 	struct nlattr *kind;
@@ -569,6 +570,18 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
 			goto err_out;
 		if (nla_strlcpy(act_name, kind, IFNAMSIZ) >= IFNAMSIZ)
 			goto err_out;
 +		if (tb[TCA_ACT_COOKIE]) {
 +			int cklen = nla_len(tb[TCA_ACT_COOKIE]);
 +
 +			if (cklen > TC_COOKIE_MAX_SIZE)
 +				goto err_out;
 +
 +			cookie = nla_memdup_cookie(tb);
 +			if (!cookie) {
 +				err = -ENOMEM;
 +				goto err_out;
 +			}
 +		}
 	} else {
 		err = -EINVAL;
 		if (strlcpy(act_name, name, IFNAMSIZ) >= IFNAMSIZ)
@@ -607,20 +620,12 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
 	if (err < 0)
 		goto err_mod;
 -	if (tb[TCA_ACT_COOKIE]) {
 -		int cklen = nla_len(tb[TCA_ACT_COOKIE]);
 -
 -		if (cklen > TC_COOKIE_MAX_SIZE) {
 -			err = -EINVAL;
 -			tcf_hash_release(a, bind);
 -			goto err_mod;
 -		}
 -
 -		if (nla_memdup_cookie(a, tb) < 0) {
 -			err = -ENOMEM;
 -			tcf_hash_release(a, bind);
 -			goto err_mod;
 +	if (name == NULL && tb[TCA_ACT_COOKIE]) {
 +		if (a->act_cookie) {
 +			kfree(a->act_cookie->data);
 +			kfree(a->act_cookie);
 		}
 +		a->act_cookie = cookie;
 	}
 	/* module count goes up only when brand new policy is created
@@ -635,6 +640,10 @@ struct tc_action *tcf_action_init_1(struct net *net, struct nlattr *nla,
 err_mod:
 	module_put(a_o->owner);
 err_out:
 +	if (cookie) {
 +		kfree(cookie->data);
 +		kfree(cookie);
 +	}
 	return ERR_PTR(err);
 }
 -- 
 2.1.4
--- a/4
+++ b/4
@ -227,8 +227,8 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNEL_SRC_SUBMODULE} | submodules
 	cd ${KERNEL_SRC}; patch -p1 < ../cgroup-cpuset-add-cpuset.remap_cpus.patch
 	cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-2596-kvm-page-reference-leakage-in-handle_vmon.patch
 	cd ${KERNEL_SRC}; patch -p1 < ../openvswitch-Set-internal-device-max-mtu-to-ETH_MAX_M.patch
-	cd ${KERNEL_SRC}; patch -p1 < ../0001-net-sched-actions-fix-access-to-uninitialized-data.patch
+	cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-7979-0001-net_sched-nla_memdup_cookie-can-be-static.patch
-	cd ${KERNEL_SRC}; patch -p1 < ../0002-net-sched-actions-decrement-module-refcount-earlier.patch
+	cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-7979-0002-net-sched-actions-allocate-act-cookie-early.patch
 	sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
 	touch $@