lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161102210554.23b24d74@kant>
Date:   Wed, 2 Nov 2016 21:05:54 +0100
From:   Stefan Richter <stefanr@...6.in-berlin.de>
To:     linux1394-devel@...ts.sourceforge.net
Cc:     linux-kernel@...r.kernel.org, Eyal Itkin <eyal.itkin@...il.com>
Subject: [PATCH 0/3] firewire: net: IP-over-1394 link fragmentation fixes

The following patches
    1/3 firewire: net: guard against rx buffer overflows
    2/3 firewire: net: fix fragmented datagram_size off-by-one
    3/3 firewire: net: max MTU off by one
fix a few long-standing bugs of the IP-over-1394 driver firewire-net
related to reception and transmission of fragmented datagrams:

  - RX:  Missing validation of fragment offset and size makes the driver
    vulnerable to buffer overflows, potentially leading to remote¹ code
    execution.  Reported by Eyal Itkin.

    ¹) The vulnerability cannot be triggered by malformed IP datagrams,
    but by malformed IEEE 1394 packets sent from other FireWire nodes to
    the 1394 broadcast channel or to firewire-net's unicast FIFO, or can
    be sent from the local node to the unicast FIFO by sufficiently
    privileged userland.  I.e. an attack can only originate from somewhere
    on the FireWire bus, not from another network that is bridged to the
    FireWire bus.

  - RX:  Missing validation of unfragmented and fragmented datagrams for
    minimum packet size before looking at GASP header and encapsulation
    header.

  - RX and TX:  The datagram_size field of fragmented datagrams was read
    and written incorrectly; an offset of +/-1 needs to be applied.  This
    prevents fragmented traffic from/to nodes which run OS X, Windows XP,
    or Linux' older eth1394 driver.  (Traffic from Win XP would eventually
    be retried with smaller MTU and possibly succeed slowly despite the
    bug.)

Patch 1/3 is obviously urgent.

Patch 2/3 is a bit of a bother because while it fixes fragmented RX/TX with
OS X, Win XP, and eth1394, it does disrupt fragmented RX/TX with Linux
nodes which run an unfixed firewire-net.

Patch 3/3 will only apply in conjunction with changes that are queued up
in the net-next git tree, hence this patch will wait until net-next was
merged.

Patches 1+2/3 are already pushed out to linux1394.git "testing" and
"for-next" branches, but I still like to get review comments before I
send a pull request.
-- 
Stefan Richter
-======----- =-== ---=-
http://arcgraph.de/sr/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ