Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 810547,
    "url": "http://patchwork.ozlabs.org/api/patches/810547/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170906120208.10561-2-kleber.souza@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20170906120208.10561-2-kleber.souza@canonical.com>",
    "list_archive_url": null,
    "date": "2017-09-06T12:02:08",
    "name": "[Trusty,SRU,CVE-2016-8632,1/1] tipc: check minimum bearer MTU",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "289616747894cade7fe7b9fb874c1d3ca7626ca4",
    "submitter": {
        "id": 71419,
        "url": "http://patchwork.ozlabs.org/api/people/71419/?format=api",
        "name": "Kleber Sacilotto de Souza",
        "email": "kleber.souza@canonical.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170906120208.10561-2-kleber.souza@canonical.com/mbox/",
    "series": [
        {
            "id": 1779,
            "url": "http://patchwork.ozlabs.org/api/series/1779/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=1779",
            "date": "2017-09-06T12:02:07",
            "name": "Fix for CVE-2016-8632",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/1779/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/810547/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/810547/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org",
        "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)",
        "Received": [
            "from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xnMfD6XqVz9sBZ;\n\tWed,  6 Sep 2017 22:02:44 +1000 (AEST)",
            "from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1dpZ2W-00013r-Up; Wed, 06 Sep 2017 12:02:40 +0000",
            "from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)\n\tid 1dpZ2M-0000u8-RM\n\tfor kernel-team@lists.ubuntu.com; Wed, 06 Sep 2017 12:02:30 +0000",
            "from mail-wm0-f71.google.com ([74.125.82.71])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)\n\tid 1dpZ2M-0006b1-CT\n\tfor kernel-team@lists.ubuntu.com; Wed, 06 Sep 2017 12:02:30 +0000",
            "by mail-wm0-f71.google.com with SMTP id f4so6037303wmh.7\n\tfor <kernel-team@lists.ubuntu.com>;\n\tWed, 06 Sep 2017 05:02:30 -0700 (PDT)",
            "from localhost (pd95c76fe.dip0.t-ipconnect.de. [217.92.118.254])\n\tby smtp.gmail.com with ESMTPSA id\n\tb196sm906898wmd.43.2017.09.06.05.02.25\n\tfor <kernel-team@lists.ubuntu.com>\n\t(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);\n\tWed, 06 Sep 2017 05:02:28 -0700 (PDT)"
        ],
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:subject:date:message-id:in-reply-to\n\t:references:mime-version:content-transfer-encoding;\n\tbh=LUH/wIzdJ8EjBCtRzwBkV7gf62lv2rofO5CJ3VpxKm0=;\n\tb=BbAExMvFgzw7Wkf7u8zoDKzybcB8JHK/Z0WlGjf5+Gg4bW2zYTNj/K7SVGBBU2Tyja\n\tlu3x2NWxMLv1fXaI6pXGvtwrZ/3OGmZGKFC9ZA6b7kjEy2aUOu3ay7axNlLNnsBGNfA+\n\t3sYo8R9KdO1J/DpScGi4gc+rpru5wff9u7KwWurhxe0l0f+Xcz7PIWfjSAcproDF7LjU\n\tLn5rU1MidZdb21hpDXE7GyfUo6idqh1fTeNt+MmPXmb7/ga+orowF/ql4y/OC6GqE4b1\n\tPsroYlFjnuU8W4BSDktVBREZxUKMkLP1a61xDMJ7mNsMQQfX1C7VNeD75sHBI9H/RitK\n\tgoWw==",
        "X-Gm-Message-State": "AHPjjUivK4IFM1IXrlyyNR2B5DtqXcAKAJtHWt9g1LsFyoeZRMSg5MSo\n\tSltgLrRnwXHEHoS1BI0x71xWFQcLCux43YT2eW3PpcMe5FsiHeOoaWFelAs+LXVj/igp8krjA9W\n\tGAq/HmKpWS2mZYOjNY86MgbjPUmE5y8Ve",
        "X-Received": [
            "by 10.223.139.146 with SMTP id o18mr1616674wra.236.1504699349753;\n\tWed, 06 Sep 2017 05:02:29 -0700 (PDT)",
            "by 10.223.139.146 with SMTP id o18mr1616662wra.236.1504699349488;\n\tWed, 06 Sep 2017 05:02:29 -0700 (PDT)"
        ],
        "X-Google-Smtp-Source": "ADKCNb5Cgis7/ojHz2ZkrQQnwZNt8z3ftQAWq2xG92yGi5bb9ll+2GGQrUK78VwkjmyApmrjnWMtrA==",
        "From": "Kleber Sacilotto de Souza <kleber.souza@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[Trusty SRU][CVE-2016-8632][PATCH 1/1] tipc: check minimum bearer\n\tMTU",
        "Date": "Wed,  6 Sep 2017 14:02:08 +0200",
        "Message-Id": "<20170906120208.10561-2-kleber.souza@canonical.com>",
        "X-Mailer": "git-send-email 2.14.1",
        "In-Reply-To": "<20170906120208.10561-1-kleber.souza@canonical.com>",
        "References": "<20170906120208.10561-1-kleber.souza@canonical.com>",
        "MIME-Version": "1.0",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.20",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "base64",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"
    },
    "content": "From: Michal Kubeček <mkubecek@suse.cz>\n\nQian Zhang (张谦) reported a potential socket buffer overflow in\ntipc_msg_build() which is also known as CVE-2016-8632: due to\ninsufficient checks, a buffer overflow can occur if MTU is too short for\neven tipc headers. As anyone can set device MTU in a user/net namespace,\nthis issue can be abused by a regular user.\n\nAs agreed in the discussion on Ben Hutchings' original patch, we should\ncheck the MTU at the moment a bearer is attached rather than for each\nprocessed packet. We also need to repeat the check when bearer MTU is\nadjusted to new device MTU. UDP case also needs a check to avoid\noverflow when calculating bearer MTU.\n\nFixes: b97bf3fd8f6a (\"[TIPC] Initial merge\")\nSigned-off-by: Michal Kubecek <mkubecek@suse.cz>\nReported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>\nAcked-by: Ying Xue <ying.xue@windriver.com>\nSigned-off-by: David S. Miller <davem@davemloft.net>\n\nCVE-2016-8632\n(backported from commit 3de81b758853f0b29c61e246679d20b513c4cfec)\n[kleber:\n - Adjust context\n - Duplicate macro definitions in bearer.h to avoid mutual inclusion\n - Duplicate bearer changes for eth and ib media\n - Drop changes in udp_media.c]\nSigned-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>\n---\n net/tipc/bearer.h    | 16 ++++++++++++++++\n net/tipc/eth_media.c | 11 +++++++++--\n net/tipc/ib_media.c  | 11 +++++++++--\n 3 files changed, 34 insertions(+), 4 deletions(-)",
    "diff": "diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h\nindex e5e04be6fffa..cc8bc3b7cb6f 100644\n--- a/net/tipc/bearer.h\n+++ b/net/tipc/bearer.h\n@@ -58,6 +58,13 @@\n #define TIPC_MEDIA_TYPE_ETH\t1\n #define TIPC_MEDIA_TYPE_IB\t2\n \n+/* Message header sizes from msg.h - duplicated to avoid mutual inclusion */\n+#define INT_H_SIZE                40\n+#define MAX_H_SIZE                60\n+\n+/* minimum bearer MTU */\n+#define TIPC_MIN_BEARER_MTU\t(MAX_H_SIZE + INT_H_SIZE)\n+\n /**\n  * struct tipc_media_addr - destination address used by TIPC bearers\n  * @value: address info (format defined by media)\n@@ -210,4 +217,13 @@ static inline void tipc_bearer_send(struct tipc_bearer *b, struct sk_buff *buf,\n \tb->media->send_msg(buf, b, dest);\n }\n \n+/* check if device MTU is too low for tipc headers */\n+static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve)\n+{\n+\tif (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve)\n+\t\treturn false;\n+\tnetdev_warn(dev, \"MTU too low for tipc bearer\\n\");\n+\treturn true;\n+}\n+\n #endif\t/* _TIPC_BEARER_H */\ndiff --git a/net/tipc/eth_media.c b/net/tipc/eth_media.c\nindex f80d59f5a161..3fe074af15ec 100644\n--- a/net/tipc/eth_media.c\n+++ b/net/tipc/eth_media.c\n@@ -180,6 +180,10 @@ static int enable_media(struct tipc_bearer *tb_ptr)\n \tdev = dev_get_by_name(&init_net, driver_name);\n \tif (!dev)\n \t\treturn -ENODEV;\n+\tif (tipc_mtu_bad(dev, 0)) {\n+\t\tdev_put(dev);\n+\t\treturn -EINVAL;\n+\t}\n \n \t/* Create Ethernet bearer for device */\n \teb_ptr->dev = dev;\n@@ -258,8 +262,6 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt,\n \tif (!eb_ptr->bearer)\n \t\treturn NOTIFY_DONE;\t\t/* bearer had been disabled */\n \n-\teb_ptr->bearer->mtu = dev->mtu;\n-\n \tswitch (evt) {\n \tcase NETDEV_CHANGE:\n \t\tif (netif_carrier_ok(dev))\n@@ -274,6 +276,11 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt,\n \t\ttipc_block_bearer(eb_ptr->bearer);\n \t\tbreak;\n \tcase NETDEV_CHANGEMTU:\n+\t\tif (tipc_mtu_bad(dev, 0)) {\n+\t\t\ttipc_disable_bearer(eb_ptr->bearer->name);\n+\t\t\tbreak;\n+\t\t}\n+\t\teb_ptr->bearer->mtu = dev->mtu;\n \tcase NETDEV_CHANGEADDR:\n \t\ttipc_block_bearer(eb_ptr->bearer);\n \t\ttipc_continue(eb_ptr->bearer);\ndiff --git a/net/tipc/ib_media.c b/net/tipc/ib_media.c\nindex c13989297464..c34380b9357c 100644\n--- a/net/tipc/ib_media.c\n+++ b/net/tipc/ib_media.c\n@@ -173,6 +173,10 @@ static int enable_media(struct tipc_bearer *tb_ptr)\n \tdev = dev_get_by_name(&init_net, driver_name);\n \tif (!dev)\n \t\treturn -ENODEV;\n+\tif (tipc_mtu_bad(dev, 0)) {\n+\t\tdev_put(dev);\n+\t\treturn -EINVAL;\n+\t}\n \n \t/* Create InfiniBand bearer for device */\n \tib_ptr->dev = dev;\n@@ -251,8 +255,6 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt,\n \tif (!ib_ptr->bearer)\n \t\treturn NOTIFY_DONE;\t\t/* bearer had been disabled */\n \n-\tib_ptr->bearer->mtu = dev->mtu;\n-\n \tswitch (evt) {\n \tcase NETDEV_CHANGE:\n \t\tif (netif_carrier_ok(dev))\n@@ -267,6 +269,11 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt,\n \t\ttipc_block_bearer(ib_ptr->bearer);\n \t\tbreak;\n \tcase NETDEV_CHANGEMTU:\n+\t\tif (tipc_mtu_bad(dev, 0)) {\n+\t\t\ttipc_disable_bearer(ib_ptr->bearer->name);\n+\t\t\tbreak;\n+\t\t}\n+\t\tib_ptr->bearer->mtu = dev->mtu;\n \tcase NETDEV_CHANGEADDR:\n \t\ttipc_block_bearer(ib_ptr->bearer);\n \t\ttipc_continue(ib_ptr->bearer);\n",
    "prefixes": [
        "Trusty",
        "SRU",
        "CVE-2016-8632",
        "1/1"
    ]
}