lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lsq.1487198501.992712077@decadent.org.uk>
Date:   Wed, 15 Feb 2017 22:41:41 +0000
From:   Ben Hutchings <ben@...adent.org.uk>
To:     linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC:     akpm@...ux-foundation.org,
        "Michal Kubeček" <mkubecek@...e.cz>,
        "Qian Zhang (张谦)" <zhangqian-c@....cn>,
        "Ying Xue" <ying.xue@...driver.com>,
        "David S. Miller" <davem@...emloft.net>
Subject: [PATCH 3.16 276/306] tipc: check minimum bearer MTU

3.16.40-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Kubeček <mkubecek@...e.cz>

commit 3de81b758853f0b29c61e246679d20b513c4cfec upstream.

Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.

As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.

Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@...e.cz>
Reported-by: Qian Zhang (张谦) <zhangqian-c@....cn>
Acked-by: Ying Xue <ying.xue@...driver.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
[bwh: Backported to 3.16:
 - Adjust context
 - Duplicate macro definitions in bearer.h to avoid mutual inclusion
 - NETDEV_DOWN and NETDEV_CHANGEMTU cases in net notifier were combined
 - Drop changes in udp_media.c]
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -420,6 +420,10 @@ int tipc_enable_l2_media(struct tipc_bea
 	dev = dev_get_by_name(&init_net, driver_name);
 	if (!dev)
 		return -ENODEV;
+	if (tipc_mtu_bad(dev, 0)) {
+		dev_put(dev);
+		return -EINVAL;
+	}
 
 	/* Associate TIPC bearer with L2 bearer */
 	rcu_assign_pointer(b->media_ptr, dev);
@@ -564,14 +568,19 @@ static int tipc_l2_device_event(struct n
 	if (!b_ptr)
 		return NOTIFY_DONE;
 
-	b_ptr->mtu = dev->mtu;
-
 	switch (evt) {
 	case NETDEV_CHANGE:
 		if (netif_carrier_ok(dev))
 			break;
 	case NETDEV_DOWN:
+		tipc_reset_bearer(b_ptr);
+		break;
 	case NETDEV_CHANGEMTU:
+		if (tipc_mtu_bad(dev, 0)) {
+			bearer_disable(b_ptr, false);
+			break;
+		}
+		b_ptr->mtu = dev->mtu;
 		tipc_reset_bearer(b_ptr);
 		break;
 	case NETDEV_CHANGEADDR:
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@@ -50,6 +50,13 @@
 #define TIPC_MEDIA_ADDR_SIZE	32
 #define TIPC_MEDIA_TYPE_OFFSET	3
 
+/* Message header sizes from msg.h - duplicated to avoid mutual inclusion */
+#define INT_H_SIZE                40
+#define MAX_H_SIZE                60
+
+/* minimum bearer MTU */
+#define TIPC_MIN_BEARER_MTU	(MAX_H_SIZE + INT_H_SIZE)
+
 /*
  * Identifiers of supported TIPC media types
  */
@@ -196,4 +203,13 @@ void tipc_bearer_stop(void);
 void tipc_bearer_send(u32 bearer_id, struct sk_buff *buf,
 		      struct tipc_media_addr *dest);
 
+/* check if device MTU is too low for tipc headers */
+static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve)
+{
+	if (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve)
+		return false;
+	netdev_warn(dev, "MTU too low for tipc bearer\n");
+	return true;
+}
+
 #endif	/* _TIPC_BEARER_H */

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ