GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.2/patches/811003/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 811003,
    "url": "http://patchwork.ozlabs.org/api/1.2/patches/811003/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170907130233.30902-1-kleber.souza@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/1.2/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20170907130233.30902-1-kleber.souza@canonical.com>",
    "list_archive_url": null,
    "date": "2017-09-07T13:02:33",
    "name": "[Trusty,SRU,CVE-2016-8633] firewire: net: guard against rx buffer overflows",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "e4f88df72a7a8dcc2e02af02a4f82ed86431d5a1",
    "submitter": {
        "id": 71419,
        "url": "http://patchwork.ozlabs.org/api/1.2/people/71419/?format=api",
        "name": "Kleber Sacilotto de Souza",
        "email": "kleber.souza@canonical.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170907130233.30902-1-kleber.souza@canonical.com/mbox/",
    "series": [
        {
            "id": 1997,
            "url": "http://patchwork.ozlabs.org/api/1.2/series/1997/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=1997",
            "date": "2017-09-07T13:02:33",
            "name": "[Trusty,SRU,CVE-2016-8633] firewire: net: guard against rx buffer overflows",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/1997/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/811003/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/811003/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org",
        "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)",
        "Received": [
            "from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xp0x23QWfz9sRY;\n\tThu,  7 Sep 2017 23:02:46 +1000 (AEST)",
            "from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1dpwS7-00077p-QF; Thu, 07 Sep 2017 13:02:39 +0000",
            "from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)\n\tid 1dpwS6-00077j-WA\n\tfor kernel-team@lists.ubuntu.com; Thu, 07 Sep 2017 13:02:38 +0000",
            "from mail-wm0-f71.google.com ([74.125.82.71])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)\n\tid 1dpwS6-0003es-Oo\n\tfor kernel-team@lists.ubuntu.com; Thu, 07 Sep 2017 13:02:38 +0000",
            "by mail-wm0-f71.google.com with SMTP id e64so1473476wmi.0\n\tfor <kernel-team@lists.ubuntu.com>;\n\tThu, 07 Sep 2017 06:02:38 -0700 (PDT)",
            "from localhost (ip5f5bd015.dynamic.kabel-deutschland.de.\n\t[95.91.208.21]) by smtp.gmail.com with ESMTPSA id\n\tq5sm2085339edh.24.2017.09.07.06.02.35\n\tfor <kernel-team@lists.ubuntu.com>\n\t(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);\n\tThu, 07 Sep 2017 06:02:35 -0700 (PDT)"
        ],
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:subject:date:message-id;\n\tbh=9PmIl1ozgNJ4qvNywrwX58IoUXnfGy6Yc36/gu9id4M=;\n\tb=rT1j1YpGvrzmlXYrHfaphSzH/ss5Exjrr7pxWF4DbA+liuJgEOhpwuEDYLIJrGdNGb\n\tIEVAVsHMk2/PYitgcXEMScOeyQ89z4ZySYL/zk9Vp+3GOiX1Mtaz9jG8H9yOjLYLHK6b\n\tOJNUYVNO+DOXIPKEAJKtesqG0KY0hhd01+dWbRgrtyJgphR3a0cWTtbdHRoKY0oNBt8O\n\tOllwTCANAGeObBG0VmLDSl4gn641qJhUG9Fr0wQcnuyM0QtRRTNhxwsymEtBNi9iL87Q\n\tmCSqKfR/GOLedkXxWMdzRWftf26UwgwjcritpFem5ewzUimgjywhgNzFaZsvdX3hinvE\n\tY2bw==",
        "X-Gm-Message-State": "AHPjjUgIHr+gQrPjn8gg23p4ps4xG0YYlwfh15e1XaEV0+hnrbmLy29u\n\tEzl+DHNxy0Yp22sjgMoTg8oORv9I52RBPMOZxHxxZ9Ucv/4uZ0OwmQ2+CefTL6+iTeJDV9BETbO\n\tmOERtJaU9+yihiCDgNSvihdYPs/rU3HOz",
        "X-Received": [
            "by 10.80.147.228 with SMTP id o91mr2372133eda.163.1504789357709; \n\tThu, 07 Sep 2017 06:02:37 -0700 (PDT)",
            "by 10.80.147.228 with SMTP id o91mr2372079eda.163.1504789356597; \n\tThu, 07 Sep 2017 06:02:36 -0700 (PDT)"
        ],
        "X-Google-Smtp-Source": "ADKCNb7yyRmzcnupZVDvUmlNIEG0If5AVX1V616ZahXCwrlyuo9vxSnWaBw+bZ6kDMv0M52tCMZKQQ==",
        "From": "Kleber Sacilotto de Souza <kleber.souza@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[Trusty SRU][CVE-2016-8633][PATCH] firewire: net: guard against rx\n\tbuffer overflows",
        "Date": "Thu,  7 Sep 2017 15:02:33 +0200",
        "Message-Id": "<20170907130233.30902-1-kleber.souza@canonical.com>",
        "X-Mailer": "git-send-email 2.14.1",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.20",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "MIME-Version": "1.0",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "base64",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"
    },
    "content": "From: Stefan Richter <stefanr@s5r6.in-berlin.de>\n\nCVE-2016-8633\n\nThe IP-over-1394 driver firewire-net lacked input validation when\nhandling incoming fragmented datagrams.  A maliciously formed fragment\nwith a respectively large datagram_offset would cause a memcpy past the\ndatagram buffer.\n\nSo, drop any packets carrying a fragment with offset + length larger\nthan datagram_size.\n\nIn addition, ensure that\n  - GASP header, unfragmented encapsulation header, or fragment\n    encapsulation header actually exists before we access it,\n  - the encapsulated datagram or fragment is of nonzero size.\n\nReported-by: Eyal Itkin <eyal.itkin@gmail.com>\nReviewed-by: Eyal Itkin <eyal.itkin@gmail.com>\nFixes: CVE 2016-8633\nCc: stable@vger.kernel.org\nSigned-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>\n(cherry picked from commit 667121ace9dbafb368618dbabcf07901c962ddac)\nSigned-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>\n---\n\nNotes:\n    Only Trusty still needs the fix for this CVE. Cherry pick applies cleanly,\n    compile tested.\n    \n    Kleber\n\n drivers/firewire/net.c | 51 ++++++++++++++++++++++++++++++++++----------------\n 1 file changed, 35 insertions(+), 16 deletions(-)",
    "diff": "diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c\nindex 4af0a7bad7f2..641eeab43c57 100644\n--- a/drivers/firewire/net.c\n+++ b/drivers/firewire/net.c\n@@ -591,6 +591,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n \tint retval;\n \tu16 ether_type;\n \n+\tif (len <= RFC2374_UNFRAG_HDR_SIZE)\n+\t\treturn 0;\n+\n \thdr.w0 = be32_to_cpu(buf[0]);\n \tlf = fwnet_get_hdr_lf(&hdr);\n \tif (lf == RFC2374_HDR_UNFRAG) {\n@@ -615,7 +618,12 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n \t\treturn fwnet_finish_incoming_packet(net, skb, source_node_id,\n \t\t\t\t\t\t    is_broadcast, ether_type);\n \t}\n+\n \t/* A datagram fragment has been received, now the fun begins. */\n+\n+\tif (len <= RFC2374_FRAG_HDR_SIZE)\n+\t\treturn 0;\n+\n \thdr.w1 = ntohl(buf[1]);\n \tbuf += 2;\n \tlen -= RFC2374_FRAG_HDR_SIZE;\n@@ -629,6 +637,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n \tdatagram_label = fwnet_get_hdr_dgl(&hdr);\n \tdg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */\n \n+\tif (fg_off + len > dg_size)\n+\t\treturn 0;\n+\n \tspin_lock_irqsave(&dev->lock, flags);\n \n \tpeer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);\n@@ -735,6 +746,22 @@ static void fwnet_receive_packet(struct fw_card *card, struct fw_request *r,\n \tfw_send_response(card, r, rcode);\n }\n \n+static int gasp_source_id(__be32 *p)\n+{\n+\treturn be32_to_cpu(p[0]) >> 16;\n+}\n+\n+static u32 gasp_specifier_id(__be32 *p)\n+{\n+\treturn (be32_to_cpu(p[0]) & 0xffff) << 8 |\n+\t       (be32_to_cpu(p[1]) & 0xff000000) >> 24;\n+}\n+\n+static u32 gasp_version(__be32 *p)\n+{\n+\treturn be32_to_cpu(p[1]) & 0xffffff;\n+}\n+\n static void fwnet_receive_broadcast(struct fw_iso_context *context,\n \t\tu32 cycle, size_t header_length, void *header, void *data)\n {\n@@ -744,9 +771,6 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,\n \t__be32 *buf_ptr;\n \tint retval;\n \tu32 length;\n-\tu16 source_node_id;\n-\tu32 specifier_id;\n-\tu32 ver;\n \tunsigned long offset;\n \tunsigned long flags;\n \n@@ -763,22 +787,17 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,\n \n \tspin_unlock_irqrestore(&dev->lock, flags);\n \n-\tspecifier_id =    (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8\n-\t\t\t| (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;\n-\tver = be32_to_cpu(buf_ptr[1]) & 0xffffff;\n-\tsource_node_id = be32_to_cpu(buf_ptr[0]) >> 16;\n-\n-\tif (specifier_id == IANA_SPECIFIER_ID &&\n-\t    (ver == RFC2734_SW_VERSION\n+\tif (length > IEEE1394_GASP_HDR_SIZE &&\n+\t    gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&\n+\t    (gasp_version(buf_ptr) == RFC2734_SW_VERSION\n #if IS_ENABLED(CONFIG_IPV6)\n-\t     || ver == RFC3146_SW_VERSION\n+\t     || gasp_version(buf_ptr) == RFC3146_SW_VERSION\n #endif\n-\t    )) {\n-\t\tbuf_ptr += 2;\n-\t\tlength -= IEEE1394_GASP_HDR_SIZE;\n-\t\tfwnet_incoming_packet(dev, buf_ptr, length, source_node_id,\n+\t    ))\n+\t\tfwnet_incoming_packet(dev, buf_ptr + 2,\n+\t\t\t\t      length - IEEE1394_GASP_HDR_SIZE,\n+\t\t\t\t      gasp_source_id(buf_ptr),\n \t\t\t\t      context->card->generation, true);\n-\t}\n \n \tpacket.payload_length = dev->rcv_buffer_size;\n \tpacket.interrupt = 1;\n",
    "prefixes": [
        "Trusty",
        "SRU",
        "CVE-2016-8633"
    ]
}