net: CVE-2017-17712

net: ipv4: fix for a race condition in raw_sendmsg Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17712 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=3bc400bad0e003d40a0a2412411aed7cbae16f96 Change-Id: I1b0ffb5f7b61597bf9f86b833404e105477da943 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-05-21 15:10:38 +0200
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-05-21 17:05:21 +0200
commit: d5e3ea804e799cd30764c340477504501c108fcb (patch)
tree: fa69c2ecaba55abca704c894488193543f264de8
parent: d5bafc564e0b0afcf42cc0883e4b6f30c2e7e65a (diff)
download: enea-kernel-cache-d5e3ea804e799cd30764c340477504501c108fcb.tar.gz
1 files changed, 81 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
new file mode 100644
index 0000000..49a05fa
--- /dev/null
+++ b/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
@@ -0,0 +1,81 @@
+From 3bc400bad0e003d40a0a2412411aed7cbae16f96 Mon Sep 17 00:00:00 2001
+From: Mohamed Ghannam <simo.ghannam@gmail.com>
+Date: Sun, 10 Dec 2017 03:50:58 +0000
+Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg
+[ Upstream commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 ]
+inet->hdrincl is racy, and could lead to uninitialized stack pointer
+usage, so its value should be read only once.
+CVE: CVE-2017-17712
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=3bc400bad0e003d40a0a2412411aed7cbae16f96]
+Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
+Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/raw.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index 33b70bfd1122..125c1eab3eaa 100644
+--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
+@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+        int err;
+        struct ip_options_data opt_copy;
+        struct raw_frag_vec rfv;
+       int hdrincl;
+ 
+        err = -EMSGSIZE;
+        if (len > 0xFFFF)
+                goto out;
+ 
+       /* hdrincl should be READ_ONCE(inet->hdrincl)
+        * but READ_ONCE() doesn't work with bit fields
+        */
+       hdrincl = inet->hdrincl;
+        /*
+         *      Check the flags.
+         */
+@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+                /* Linux does not mangle headers on raw sockets,
+                 * so that IP options + IP_HDRINCL is non-sense.
+                 */
+-               if (inet->hdrincl)
+               if (hdrincl)
+                        goto done;
+                if (ipc.opt->opt.srr) {
+                        if (!daddr)
+@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ 
+        flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
+                           RT_SCOPE_UNIVERSE,
+-                          inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+                          hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+                           inet_sk_flowi_flags(sk) |
+-                           (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+                           (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+                           daddr, saddr, 0, 0, sk->sk_uid);
+ 
+-       if (!inet->hdrincl) {
+       if (!hdrincl) {
+                rfv.msg = msg;
+                rfv.hlen = 0;
+ 
+@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+                goto do_confirm;
+ back_from_confirm:
+ 
+-       if (inet->hdrincl)
+       if (hdrincl)
+                err = raw_send_hdrinc(sk, &fl4, msg, len,
+                                      &rt, msg->msg_flags, &ipc.sockc);
+ 
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-05-21 15:10:38 +0200
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-05-21 17:05:21 +0200
commit	d5e3ea804e799cd30764c340477504501c108fcb (patch)
tree	fa69c2ecaba55abca704c894488193543f264de8
parent	d5bafc564e0b0afcf42cc0883e4b6f30c2e7e65a (diff)
download	enea-kernel-cache-d5e3ea804e799cd30764c340477504501c108fcb.tar.gz

diff --git a/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch new file mode 100644 index 0000000..49a05fa --- /dev/null +++ b/patches/cve/CVE-2017-17712-net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
@@ -0,0 +1,81 @@
	1	From 3bc400bad0e003d40a0a2412411aed7cbae16f96 Mon Sep 17 00:00:00 2001
	2	From: Mohamed Ghannam <simo.ghannam@gmail.com>
	3	Date: Sun, 10 Dec 2017 03:50:58 +0000
	4	Subject: [PATCH] net: ipv4: fix for a race condition in raw_sendmsg
	5
	6	[ Upstream commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 ]
	7
	8	inet->hdrincl is racy, and could lead to uninitialized stack pointer
	9	usage, so its value should be read only once.
	10
	11	CVE: CVE-2017-17712
	12	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=3bc400bad0e003d40a0a2412411aed7cbae16f96]
	13
	14	Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
	15	Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
	16	Reviewed-by: Eric Dumazet <edumazet@google.com>
	17	Signed-off-by: David S. Miller <davem@davemloft.net>
	18	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	19	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	20	---
	21	net/ipv4/raw.c \| 15 ++++++++++-----
	22	1 file changed, 10 insertions(+), 5 deletions(-)
	23
	24	diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
	25	index 33b70bfd1122..125c1eab3eaa 100644
	26	--- a/net/ipv4/raw.c
	27	+++ b/net/ipv4/raw.c
	28	@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock sk, struct msghdr msg, size_t len)
	29	int err;
	30	struct ip_options_data opt_copy;
	31	struct raw_frag_vec rfv;
	32	+ int hdrincl;
	33
	34	err = -EMSGSIZE;
	35	if (len > 0xFFFF)
	36	goto out;
	37
	38	+ /* hdrincl should be READ_ONCE(inet->hdrincl)
	39	+ * but READ_ONCE() doesn't work with bit fields
	40	+ */
	41	+ hdrincl = inet->hdrincl;
	42	/*
	43	* Check the flags.
	44	*/
	45	@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock sk, struct msghdr msg, size_t len)
	46	/* Linux does not mangle headers on raw sockets,
	47	* so that IP options + IP_HDRINCL is non-sense.
	48	*/
	49	- if (inet->hdrincl)
	50	+ if (hdrincl)
	51	goto done;
	52	if (ipc.opt->opt.srr) {
	53	if (!daddr)
	54	@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock sk, struct msghdr msg, size_t len)
	55
	56	flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
	57	RT_SCOPE_UNIVERSE,
	58	- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
	59	+ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
	60	inet_sk_flowi_flags(sk) \|
	61	- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
	62	+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
	63	daddr, saddr, 0, 0, sk->sk_uid);
	64
	65	- if (!inet->hdrincl) {
	66	+ if (!hdrincl) {
	67	rfv.msg = msg;
	68	rfv.hlen = 0;
	69
	70	@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock sk, struct msghdr msg, size_t len)
	71	goto do_confirm;
	72	back_from_confirm:
	73
	74	- if (inet->hdrincl)
	75	+ if (hdrincl)
	76	err = raw_send_hdrinc(sk, &fl4, msg, len,
	77	&rt, msg->msg_flags, &ipc.sockc);
	78
	79	--
	80	2.20.1
	81