| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <lsq.1487198494.589364691@decadent.org.uk>
Date: Wed, 15 Feb 2017 22:41:34 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org, "David S. Miller" <davem@...emloft.net>,
"Ying Xue" <ying.xue@...driver.com>,
"Qian Zhang (张谦)" <zhangqian-c@....cn>,
"Michal Kubeček" <mkubecek@...e.cz>
Subject: [PATCH 3.2 097/126] tipc: check minimum bearer MTU
3.2.85-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kubeček <mkubecek@...e.cz>
commit 3de81b758853f0b29c61e246679d20b513c4cfec upstream.
Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.
As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.
Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@...e.cz>
Reported-by: Qian Zhang (张谦) <zhangqian-c@....cn>
Acked-by: Ying Xue <ying.xue@...driver.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
[bwh: Backported to 3.2:
- Adjust filename, context
- Duplicate macro definitions in bearer.h to avoid mutual inclusion
- NETDEV_CHANGEMTU and NETDEV_CHANGEADDR cases in net notifier were combined
- Drop changes in udp_media.c]
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
--- a/net/tipc/eth_media.c
+++ b/net/tipc/eth_media.c
@@ -167,6 +167,10 @@ static int enable_bearer(struct tipc_bea
read_unlock(&dev_base_lock);
if (!dev)
return -ENODEV;
+ if (tipc_mtu_bad(dev, 0)) {
+ dev_put(dev);
+ return -EINVAL;
+ }
/* Create Ethernet bearer for device */
@@ -227,8 +231,6 @@ static int recv_notification(struct noti
if (!eb_ptr->bearer)
return NOTIFY_DONE; /* bearer had been disabled */
- eb_ptr->bearer->mtu = dev->mtu;
-
switch (evt) {
case NETDEV_CHANGE:
if (netif_carrier_ok(dev))
@@ -243,6 +245,12 @@ static int recv_notification(struct noti
tipc_block_bearer(eb_ptr->bearer->name);
break;
case NETDEV_CHANGEMTU:
+ if (tipc_mtu_bad(dev, 0)) {
+ tipc_disable_bearer(eb_ptr->bearer->name);
+ break;
+ }
+ eb_ptr->bearer->mtu = dev->mtu;
+ /* fall through */
case NETDEV_CHANGEADDR:
tipc_block_bearer(eb_ptr->bearer->name);
tipc_continue(eb_ptr->bearer);
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@@ -47,6 +47,13 @@
*/
#define TIPC_MEDIA_TYPE_ETH 1
+/* Message header sizes from msg.h - duplicated to avoid mutual inclusion */
+#define INT_H_SIZE 40
+#define MAX_H_SIZE 60
+
+/* minimum bearer MTU */
+#define TIPC_MIN_BEARER_MTU (MAX_H_SIZE + INT_H_SIZE)
+
/*
* Destination address structure used by TIPC bearers when sending messages
*
@@ -209,4 +216,13 @@ static inline int tipc_bearer_send(struc
return !b_ptr->media->send_msg(buf, b_ptr, dest);
}
+/* check if device MTU is too low for tipc headers */
+static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve)
+{
+ if (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve)
+ return false;
+ netdev_warn(dev, "MTU too low for tipc bearer\n");
+ return true;
+}
+
#endif /* _TIPC_BEARER_H */
Powered by blists - more mailing lists