| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1537207349.7627.32.camel@amazon.de>
Date: Mon, 17 Sep 2018 18:02:29 +0000
From: "Nuernberger, Stefan" <snu@...zon.de>
To: "paul@...l-moore.com" <paul@...l-moore.com>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"Nuernberger, Stefan" <snu@...zon.de>,
"yujuan.qi@...iatek.com" <yujuan.qi@...iatek.com>,
"Shah, Amit" <aams@...zon.de>,
"stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: Re: [PATCH net] net/ipv4: defensive cipso option parsing
On Mon, 2018-09-17 at 12:35 -0400, Paul Moore wrote:
> On Mon, Sep 17, 2018 at 11:12 AM Stefan Nuernberger <snu@...zon.com>
> wrote:
> >
> > commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop")
> > fixed
> > a possible infinite loop in the IP option parsing of CIPSO. The fix
> > assumes that ip_options_compile filtered out all zero length
> > options and
> > that no other one-byte options beside IPOPT_END and IPOPT_NOOP
> > exist.
> > While this assumption currently holds true, add explicit checks for
> > zero
> > length and invalid length options to be safe for the future. Even
> > though
> > ip_options_compile should have validated the options, the
> > introduction of
> > new one-byte options can still confuse this code without the
> > additional
> > checks.
> >
> > Signed-off-by: Stefan Nuernberger <snu@...zon.com>
> > Reviewed-by: David Woodhouse <dwmw@...zon.co.uk>
> > Reviewed-by: Simon Veith <sveith@...zon.de>
> > Cc: stable@...r.kernel.org
> > ---
> > net/ipv4/cipso_ipv4.c | 10 ++++++++--
> > 1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
> > index 82178cc69c96..f291b57b8474 100644
> > --- a/net/ipv4/cipso_ipv4.c
> > +++ b/net/ipv4/cipso_ipv4.c
> > @@ -1512,7 +1512,7 @@ static int cipso_v4_parsetag_loc(const struct
> > cipso_v4_doi *doi_def,
> > *
> > * Description:
> > * Parse the packet's IP header looking for a CIPSO
> > option. Returns a pointer
> > - * to the start of the CIPSO option on success, NULL if one if not
> > found.
> > + * to the start of the CIPSO option on success, NULL if one is not
> > found.
> > *
> > */
> > unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
> > @@ -1522,9 +1522,11 @@ unsigned char *cipso_v4_optptr(const struct
> > sk_buff *skb)
> > int optlen;
> > int taglen;
> >
> > - for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen >
> > 0; ) {
> > + for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen >
> > 1; ) {
> > switch (optptr[0]) {
> > case IPOPT_CIPSO:
> > + if (!optptr[1] || optptr[1] > optlen)
> > + return NULL;
> > return optptr;
> > case IPOPT_END:
> > return NULL;
> > @@ -1534,6 +1536,10 @@ unsigned char *cipso_v4_optptr(const struct
> > sk_buff *skb)
> > default:
> > taglen = optptr[1];
> > }
> > +
> > + if (!taglen || taglen > optlen)
> > + break;
> I tend to think that you reach a point where you simply need to trust
> that the stack is doing the right thing and that by the time you hit
> a
> certain point you can safely assume that the packet is well formed,
> but I'm not going to fight about that here.
>
> Regardless of the above, I don't like how you're doing the option
> length check twice in this code, that looks ugly to me, I think we
> can
> do better. How about something like this:
>
> for (...) {
> switch(optptr[0]) {
> case IPOPT_END:
> return NULL;
> case IPOPT_NOOP:
> taglen = 1;
> default:
> taglen = optptr[1];
> }
> if (taglen == 0 || taglen > optlen)
> return NULL;
> if (optptr[0] == IPOPT_CIPSO)
> return optptr;
> ....
> }
>
You're right, that looks much better. I sent around a new patch.
> >
> > optlen -= taglen;
> > optptr += taglen;
> > }
Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
Powered by blists - more mailing lists