Cipso: CVE-2018-10938

Cipso: cipso_v4_optptr enter infinite loop References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=40413955ee265a5e42f710940ec78f5450d49149 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Change-Id: I8928fad715f3d323194c3e2021338087ad48042c
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-15 10:36:40 +0200
committer: Adrian Dudau <Adrian.Dudau@enea.com> 2018-10-16 17:40:32 +0200
commit: 9af805840de789140e83897ce485ada684a44946 (patch)
tree: ac0f59d2384cc26060ca4965c9e9c40da1d3be6c
parent: a706636a8a960796d819bb6471863a894f1943bf (diff)
download: enea-kernel-cache-9af805840de789140e83897ce485ada684a44946.tar.gz
2 files changed, 50 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index b921809..75f6253 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -46,3 +46,6 @@ patch CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch
 #CVEs fixed in 4.9.121:
 patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch
+#CVEs fixed in 4.9.125:
+patch CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch
diff --git a/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch
new file mode 100644
index 0000000..68a5d28
--- /dev/null
+++ b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch
@@ -0,0 +1,47 @@
+From 40413955ee265a5e42f710940ec78f5450d49149 Mon Sep 17 00:00:00 2001
+From: "yujuan.qi" <yujuan.qi@mediatek.com>
+Date: Mon, 31 Jul 2017 11:23:01 +0800
+Subject: [PATCH] Cipso: cipso_v4_optptr enter infinite loop
+in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop.
+Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue
+CVE: CVE-2018-10938   
+Upstream-Status: Backport  
+Signed-off-by: yujuan.qi <yujuan.qi@mediatek.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/cipso_ipv4.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index c4c6e19..2ae8f54 100644
+--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
+@@ -1523,9 +1523,17 @@ unsigned char *cipso_v4_optptr(const struct sk_buff *skb)
+        int taglen;
+ 
+        for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
+-               if (optptr[0] == IPOPT_CIPSO)
+               switch (optptr[0]) {
+               case IPOPT_CIPSO:
+                        return optptr;
+-               taglen = optptr[1];
+               case IPOPT_END:
+                       return NULL;
+               case IPOPT_NOOP:
+                       taglen = 1;
+                       break;
+               default:
+                       taglen = optptr[1];
+               }
+                optlen -= taglen;
+                optptr += taglen;
+        }
+-- 
+2.7.4
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-15 10:36:40 +0200
committer	Adrian Dudau <Adrian.Dudau@enea.com>	2018-10-16 17:40:32 +0200
commit	9af805840de789140e83897ce485ada684a44946 (patch)
tree	ac0f59d2384cc26060ca4965c9e9c40da1d3be6c
parent	a706636a8a960796d819bb6471863a894f1943bf (diff)
download	enea-kernel-cache-9af805840de789140e83897ce485ada684a44946.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index b921809..75f6253 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -46,3 +46,6 @@ patch CVE-2018-12233-jfs-Fix-inconsistency-between-memory-allocation-and-.patch
46		46
47	#CVEs fixed in 4.9.121:	47	#CVEs fixed in 4.9.121:
48	patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch	48	patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch
		49
		50	#CVEs fixed in 4.9.125:
		51	patch CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch


diff --git a/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch new file mode 100644 index 0000000..68a5d28 --- /dev/null +++ b/patches/cve/CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch
@@ -0,0 +1,47 @@
		1	From 40413955ee265a5e42f710940ec78f5450d49149 Mon Sep 17 00:00:00 2001
		2	From: "yujuan.qi" <yujuan.qi@mediatek.com>
		3	Date: Mon, 31 Jul 2017 11:23:01 +0800
		4	Subject: [PATCH] Cipso: cipso_v4_optptr enter infinite loop
		5
		6	in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop.
		7
		8	Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue
		9
		10	CVE: CVE-2018-10938
		11	Upstream-Status: Backport
		12
		13	Signed-off-by: yujuan.qi <yujuan.qi@mediatek.com>
		14	Acked-by: Paul Moore <paul@paul-moore.com>
		15	Signed-off-by: David S. Miller <davem@davemloft.net>
		16	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		17	---
		18	net/ipv4/cipso_ipv4.c \| 12 ++++++++++--
		19	1 file changed, 10 insertions(+), 2 deletions(-)
		20
		21	diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
		22	index c4c6e19..2ae8f54 100644
		23	--- a/net/ipv4/cipso_ipv4.c
		24	+++ b/net/ipv4/cipso_ipv4.c
		25	@@ -1523,9 +1523,17 @@ unsigned char cipso_v4_optptr(const struct sk_buff skb)
		26	int taglen;
		27
		28	for (optlen = iph->ihl*4 - sizeof(struct iphdr); optlen > 0; ) {
		29	- if (optptr[0] == IPOPT_CIPSO)
		30	+ switch (optptr[0]) {
		31	+ case IPOPT_CIPSO:
		32	return optptr;
		33	- taglen = optptr[1];
		34	+ case IPOPT_END:
		35	+ return NULL;
		36	+ case IPOPT_NOOP:
		37	+ taglen = 1;
		38	+ break;
		39	+ default:
		40	+ taglen = optptr[1];
		41	+ }
		42	optlen -= taglen;
		43	optptr += taglen;
		44	}
		45	--
		46	2.7.4
		47