[{"id":1766237,"web_url":"http://patchwork.ozlabs.org/comment/1766237/","msgid":"<10d8a4fc-1b62-f1fc-9c67-a01af2f63987@canonical.com>","list_archive_url":null,"date":"2017-09-11T11:29:45","subject":"ACK: [Trusty SRU][CVE-2016-8633][PATCH] firewire: net: guard against\n\trx buffer overflows","submitter":{"id":2898,"url":"http://patchwork.ozlabs.org/api/people/2898/","name":"Stefan Bader","email":"stefan.bader@canonical.com"},"content":"On 07.09.2017 15:02, Kleber Sacilotto de Souza wrote:\n> From: Stefan Richter <stefanr@s5r6.in-berlin.de>\n> \n> CVE-2016-8633\n> \n> The IP-over-1394 driver firewire-net lacked input validation when\n> handling incoming fragmented datagrams.  A maliciously formed fragment\n> with a respectively large datagram_offset would cause a memcpy past the\n> datagram buffer.\n> \n> So, drop any packets carrying a fragment with offset + length larger\n> than datagram_size.\n> \n> In addition, ensure that\n>   - GASP header, unfragmented encapsulation header, or fragment\n>     encapsulation header actually exists before we access it,\n>   - the encapsulated datagram or fragment is of nonzero size.\n> \n> Reported-by: Eyal Itkin <eyal.itkin@gmail.com>\n> Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>\n> Fixes: CVE 2016-8633\n> Cc: stable@vger.kernel.org\n> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>\n> (cherry picked from commit 667121ace9dbafb368618dbabcf07901c962ddac)\n> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>\nAcked-by: Stefan Bader <stefan.bader@canonical.com>\n\n> ---\n> \n> Notes:\n>     Only Trusty still needs the fix for this CVE. Cherry pick applies cleanly,\n>     compile tested.\n>     \n>     Kleber\n> \n>  drivers/firewire/net.c | 51 ++++++++++++++++++++++++++++++++++----------------\n>  1 file changed, 35 insertions(+), 16 deletions(-)\n> \n> diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c\n> index 4af0a7bad7f2..641eeab43c57 100644\n> --- a/drivers/firewire/net.c\n> +++ b/drivers/firewire/net.c\n> @@ -591,6 +591,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n>  \tint retval;\n>  \tu16 ether_type;\n>  \n> +\tif (len <= RFC2374_UNFRAG_HDR_SIZE)\n> +\t\treturn 0;\n> +\n>  \thdr.w0 = be32_to_cpu(buf[0]);\n>  \tlf = fwnet_get_hdr_lf(&hdr);\n>  \tif (lf == RFC2374_HDR_UNFRAG) {\n> @@ -615,7 +618,12 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n>  \t\treturn fwnet_finish_incoming_packet(net, skb, source_node_id,\n>  \t\t\t\t\t\t    is_broadcast, ether_type);\n>  \t}\n> +\n>  \t/* A datagram fragment has been received, now the fun begins. */\n> +\n> +\tif (len <= RFC2374_FRAG_HDR_SIZE)\n> +\t\treturn 0;\n> +\n>  \thdr.w1 = ntohl(buf[1]);\n>  \tbuf += 2;\n>  \tlen -= RFC2374_FRAG_HDR_SIZE;\n> @@ -629,6 +637,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n>  \tdatagram_label = fwnet_get_hdr_dgl(&hdr);\n>  \tdg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */\n>  \n> +\tif (fg_off + len > dg_size)\n> +\t\treturn 0;\n> +\n>  \tspin_lock_irqsave(&dev->lock, flags);\n>  \n>  \tpeer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);\n> @@ -735,6 +746,22 @@ static void fwnet_receive_packet(struct fw_card *card, struct fw_request *r,\n>  \tfw_send_response(card, r, rcode);\n>  }\n>  \n> +static int gasp_source_id(__be32 *p)\n> +{\n> +\treturn be32_to_cpu(p[0]) >> 16;\n> +}\n> +\n> +static u32 gasp_specifier_id(__be32 *p)\n> +{\n> +\treturn (be32_to_cpu(p[0]) & 0xffff) << 8 |\n> +\t       (be32_to_cpu(p[1]) & 0xff000000) >> 24;\n> +}\n> +\n> +static u32 gasp_version(__be32 *p)\n> +{\n> +\treturn be32_to_cpu(p[1]) & 0xffffff;\n> +}\n> +\n>  static void fwnet_receive_broadcast(struct fw_iso_context *context,\n>  \t\tu32 cycle, size_t header_length, void *header, void *data)\n>  {\n> @@ -744,9 +771,6 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,\n>  \t__be32 *buf_ptr;\n>  \tint retval;\n>  \tu32 length;\n> -\tu16 source_node_id;\n> -\tu32 specifier_id;\n> -\tu32 ver;\n>  \tunsigned long offset;\n>  \tunsigned long flags;\n>  \n> @@ -763,22 +787,17 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,\n>  \n>  \tspin_unlock_irqrestore(&dev->lock, flags);\n>  \n> -\tspecifier_id =    (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8\n> -\t\t\t| (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;\n> -\tver = be32_to_cpu(buf_ptr[1]) & 0xffffff;\n> -\tsource_node_id = be32_to_cpu(buf_ptr[0]) >> 16;\n> -\n> -\tif (specifier_id == IANA_SPECIFIER_ID &&\n> -\t    (ver == RFC2734_SW_VERSION\n> +\tif (length > IEEE1394_GASP_HDR_SIZE &&\n> +\t    gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&\n> +\t    (gasp_version(buf_ptr) == RFC2734_SW_VERSION\n>  #if IS_ENABLED(CONFIG_IPV6)\n> -\t     || ver == RFC3146_SW_VERSION\n> +\t     || gasp_version(buf_ptr) == RFC3146_SW_VERSION\n>  #endif\n> -\t    )) {\n> -\t\tbuf_ptr += 2;\n> -\t\tlength -= IEEE1394_GASP_HDR_SIZE;\n> -\t\tfwnet_incoming_packet(dev, buf_ptr, length, source_node_id,\n> +\t    ))\n> +\t\tfwnet_incoming_packet(dev, buf_ptr + 2,\n> +\t\t\t\t      length - IEEE1394_GASP_HDR_SIZE,\n> +\t\t\t\t      gasp_source_id(buf_ptr),\n>  \t\t\t\t      context->card->generation, true);\n> -\t}\n>  \n>  \tpacket.payload_length = dev->rcv_buffer_size;\n>  \tpacket.interrupt = 1;\n>","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xrQgy5H3Hz9sNV;\n\tMon, 11 Sep 2017 21:29:50 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1drMuS-00053B-1R; Mon, 11 Sep 2017 11:29:48 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <stefan.bader@canonical.com>)\n\tid 1drMuQ-00051v-38\n\tfor kernel-team@lists.ubuntu.com; Mon, 11 Sep 2017 11:29:46 +0000","from 1.general.smb.uk.vpn ([10.172.193.28])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <stefan.bader@canonical.com>)\n\tid 1drMuP-0002wa-RX\n\tfor kernel-team@lists.ubuntu.com; Mon, 11 Sep 2017 11:29:45 +0000"],"Subject":"ACK: [Trusty SRU][CVE-2016-8633][PATCH] firewire: net: guard against\n\trx buffer overflows","To":"kernel-team@lists.ubuntu.com","References":"<20170907130233.30902-1-kleber.souza@canonical.com>","From":"Stefan Bader <stefan.bader@canonical.com>","Message-ID":"<10d8a4fc-1b62-f1fc-9c67-a01af2f63987@canonical.com>","Date":"Mon, 11 Sep 2017 13:29:45 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170907130233.30902-1-kleber.souza@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"multipart/mixed;\n\tboundary=\"===============1434275644644012995==\"","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"}},{"id":1766292,"web_url":"http://patchwork.ozlabs.org/comment/1766292/","msgid":"<21ac2448-ad83-edb9-9669-e1b7ead453fd@canonical.com>","list_archive_url":null,"date":"2017-09-11T12:56:09","subject":"ACK: [Trusty SRU][CVE-2016-8633][PATCH] firewire: net: guard against\n\trx buffer overflows","submitter":{"id":2900,"url":"http://patchwork.ozlabs.org/api/people/2900/","name":"Colin Ian King","email":"colin.king@canonical.com"},"content":"On 07/09/17 14:02, Kleber Sacilotto de Souza wrote:\n> From: Stefan Richter <stefanr@s5r6.in-berlin.de>\n> \n> CVE-2016-8633\n> \n> The IP-over-1394 driver firewire-net lacked input validation when\n> handling incoming fragmented datagrams.  A maliciously formed fragment\n> with a respectively large datagram_offset would cause a memcpy past the\n> datagram buffer.\n> \n> So, drop any packets carrying a fragment with offset + length larger\n> than datagram_size.\n> \n> In addition, ensure that\n>   - GASP header, unfragmented encapsulation header, or fragment\n>     encapsulation header actually exists before we access it,\n>   - the encapsulated datagram or fragment is of nonzero size.\n> \n> Reported-by: Eyal Itkin <eyal.itkin@gmail.com>\n> Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>\n> Fixes: CVE 2016-8633\n> Cc: stable@vger.kernel.org\n> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>\n> (cherry picked from commit 667121ace9dbafb368618dbabcf07901c962ddac)\n> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>\n> ---\n> \n> Notes:\n>     Only Trusty still needs the fix for this CVE. Cherry pick applies cleanly,\n>     compile tested.\n>     \n>     Kleber\n> \n>  drivers/firewire/net.c | 51 ++++++++++++++++++++++++++++++++++----------------\n>  1 file changed, 35 insertions(+), 16 deletions(-)\n> \n> diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c\n> index 4af0a7bad7f2..641eeab43c57 100644\n> --- a/drivers/firewire/net.c\n> +++ b/drivers/firewire/net.c\n> @@ -591,6 +591,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n>  \tint retval;\n>  \tu16 ether_type;\n>  \n> +\tif (len <= RFC2374_UNFRAG_HDR_SIZE)\n> +\t\treturn 0;\n> +\n>  \thdr.w0 = be32_to_cpu(buf[0]);\n>  \tlf = fwnet_get_hdr_lf(&hdr);\n>  \tif (lf == RFC2374_HDR_UNFRAG) {\n> @@ -615,7 +618,12 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n>  \t\treturn fwnet_finish_incoming_packet(net, skb, source_node_id,\n>  \t\t\t\t\t\t    is_broadcast, ether_type);\n>  \t}\n> +\n>  \t/* A datagram fragment has been received, now the fun begins. */\n> +\n> +\tif (len <= RFC2374_FRAG_HDR_SIZE)\n> +\t\treturn 0;\n> +\n>  \thdr.w1 = ntohl(buf[1]);\n>  \tbuf += 2;\n>  \tlen -= RFC2374_FRAG_HDR_SIZE;\n> @@ -629,6 +637,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n>  \tdatagram_label = fwnet_get_hdr_dgl(&hdr);\n>  \tdg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */\n>  \n> +\tif (fg_off + len > dg_size)\n> +\t\treturn 0;\n> +\n>  \tspin_lock_irqsave(&dev->lock, flags);\n>  \n>  \tpeer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);\n> @@ -735,6 +746,22 @@ static void fwnet_receive_packet(struct fw_card *card, struct fw_request *r,\n>  \tfw_send_response(card, r, rcode);\n>  }\n>  \n> +static int gasp_source_id(__be32 *p)\n> +{\n> +\treturn be32_to_cpu(p[0]) >> 16;\n> +}\n> +\n> +static u32 gasp_specifier_id(__be32 *p)\n> +{\n> +\treturn (be32_to_cpu(p[0]) & 0xffff) << 8 |\n> +\t       (be32_to_cpu(p[1]) & 0xff000000) >> 24;\n> +}\n> +\n> +static u32 gasp_version(__be32 *p)\n> +{\n> +\treturn be32_to_cpu(p[1]) & 0xffffff;\n> +}\n> +\n>  static void fwnet_receive_broadcast(struct fw_iso_context *context,\n>  \t\tu32 cycle, size_t header_length, void *header, void *data)\n>  {\n> @@ -744,9 +771,6 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,\n>  \t__be32 *buf_ptr;\n>  \tint retval;\n>  \tu32 length;\n> -\tu16 source_node_id;\n> -\tu32 specifier_id;\n> -\tu32 ver;\n>  \tunsigned long offset;\n>  \tunsigned long flags;\n>  \n> @@ -763,22 +787,17 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,\n>  \n>  \tspin_unlock_irqrestore(&dev->lock, flags);\n>  \n> -\tspecifier_id =    (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8\n> -\t\t\t| (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;\n> -\tver = be32_to_cpu(buf_ptr[1]) & 0xffffff;\n> -\tsource_node_id = be32_to_cpu(buf_ptr[0]) >> 16;\n> -\n> -\tif (specifier_id == IANA_SPECIFIER_ID &&\n> -\t    (ver == RFC2734_SW_VERSION\n> +\tif (length > IEEE1394_GASP_HDR_SIZE &&\n> +\t    gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&\n> +\t    (gasp_version(buf_ptr) == RFC2734_SW_VERSION\n>  #if IS_ENABLED(CONFIG_IPV6)\n> -\t     || ver == RFC3146_SW_VERSION\n> +\t     || gasp_version(buf_ptr) == RFC3146_SW_VERSION\n>  #endif\n> -\t    )) {\n> -\t\tbuf_ptr += 2;\n> -\t\tlength -= IEEE1394_GASP_HDR_SIZE;\n> -\t\tfwnet_incoming_packet(dev, buf_ptr, length, source_node_id,\n> +\t    ))\n> +\t\tfwnet_incoming_packet(dev, buf_ptr + 2,\n> +\t\t\t\t      length - IEEE1394_GASP_HDR_SIZE,\n> +\t\t\t\t      gasp_source_id(buf_ptr),\n>  \t\t\t\t      context->card->generation, true);\n> -\t}\n>  \n>  \tpacket.payload_length = dev->rcv_buffer_size;\n>  \tpacket.interrupt = 1;\n> \nClean cherry pick\n\nAcked-by: Colin Ian King <colin.king@canonical.com>","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xrSbh6Rm7z9s7F;\n\tMon, 11 Sep 2017 22:56:16 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1drOG4-0003cL-QC; Mon, 11 Sep 2017 12:56:12 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <colin.king@canonical.com>)\n\tid 1drOG2-0003c7-PT\n\tfor kernel-team@lists.ubuntu.com; Mon, 11 Sep 2017 12:56:10 +0000","from 1.general.cking.uk.vpn ([10.172.193.212])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <colin.king@canonical.com>)\n\tid 1drOG2-0007Zt-Gp; Mon, 11 Sep 2017 12:56:10 +0000"],"Subject":"ACK: [Trusty SRU][CVE-2016-8633][PATCH] firewire: net: guard against\n\trx buffer overflows","To":"kernel-team@lists.ubuntu.com","References":"<20170907130233.30902-1-kleber.souza@canonical.com>","From":"Colin Ian King <colin.king@canonical.com>","Message-ID":"<21ac2448-ad83-edb9-9669-e1b7ead453fd@canonical.com>","Date":"Mon, 11 Sep 2017 13:56:09 +0100","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101\n\tThunderbird/45.8.0","MIME-Version":"1.0","In-Reply-To":"<20170907130233.30902-1-kleber.souza@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"}},{"id":1769199,"web_url":"http://patchwork.ozlabs.org/comment/1769199/","msgid":"<5d2be20c-5fab-4542-f393-3511f8322585@canonical.com>","list_archive_url":null,"date":"2017-09-15T13:45:33","subject":"APPLIED T: [Trusty SRU][CVE-2016-8633][PATCH] firewire: net: guard\n\tagainst rx buffer overflows","submitter":{"id":2898,"url":"http://patchwork.ozlabs.org/api/people/2898/","name":"Stefan Bader","email":"stefan.bader@canonical.com"},"content":"On 07.09.2017 15:02, Kleber Sacilotto de Souza wrote:\n> From: Stefan Richter <stefanr@s5r6.in-berlin.de>\n> \n> CVE-2016-8633\n> \n> The IP-over-1394 driver firewire-net lacked input validation when\n> handling incoming fragmented datagrams.  A maliciously formed fragment\n> with a respectively large datagram_offset would cause a memcpy past the\n> datagram buffer.\n> \n> So, drop any packets carrying a fragment with offset + length larger\n> than datagram_size.\n> \n> In addition, ensure that\n>   - GASP header, unfragmented encapsulation header, or fragment\n>     encapsulation header actually exists before we access it,\n>   - the encapsulated datagram or fragment is of nonzero size.\n> \n> Reported-by: Eyal Itkin <eyal.itkin@gmail.com>\n> Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>\n> Fixes: CVE 2016-8633\n> Cc: stable@vger.kernel.org\n> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>\n> (cherry picked from commit 667121ace9dbafb368618dbabcf07901c962ddac)\n> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>\n> ---\n> \n> Notes:\n>     Only Trusty still needs the fix for this CVE. Cherry pick applies cleanly,\n>     compile tested.\n>     \n>     Kleber\n> \n>  drivers/firewire/net.c | 51 ++++++++++++++++++++++++++++++++++----------------\n>  1 file changed, 35 insertions(+), 16 deletions(-)\n> \n> diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c\n> index 4af0a7bad7f2..641eeab43c57 100644\n> --- a/drivers/firewire/net.c\n> +++ b/drivers/firewire/net.c\n> @@ -591,6 +591,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n>  \tint retval;\n>  \tu16 ether_type;\n>  \n> +\tif (len <= RFC2374_UNFRAG_HDR_SIZE)\n> +\t\treturn 0;\n> +\n>  \thdr.w0 = be32_to_cpu(buf[0]);\n>  \tlf = fwnet_get_hdr_lf(&hdr);\n>  \tif (lf == RFC2374_HDR_UNFRAG) {\n> @@ -615,7 +618,12 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n>  \t\treturn fwnet_finish_incoming_packet(net, skb, source_node_id,\n>  \t\t\t\t\t\t    is_broadcast, ether_type);\n>  \t}\n> +\n>  \t/* A datagram fragment has been received, now the fun begins. */\n> +\n> +\tif (len <= RFC2374_FRAG_HDR_SIZE)\n> +\t\treturn 0;\n> +\n>  \thdr.w1 = ntohl(buf[1]);\n>  \tbuf += 2;\n>  \tlen -= RFC2374_FRAG_HDR_SIZE;\n> @@ -629,6 +637,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n>  \tdatagram_label = fwnet_get_hdr_dgl(&hdr);\n>  \tdg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */\n>  \n> +\tif (fg_off + len > dg_size)\n> +\t\treturn 0;\n> +\n>  \tspin_lock_irqsave(&dev->lock, flags);\n>  \n>  \tpeer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);\n> @@ -735,6 +746,22 @@ static void fwnet_receive_packet(struct fw_card *card, struct fw_request *r,\n>  \tfw_send_response(card, r, rcode);\n>  }\n>  \n> +static int gasp_source_id(__be32 *p)\n> +{\n> +\treturn be32_to_cpu(p[0]) >> 16;\n> +}\n> +\n> +static u32 gasp_specifier_id(__be32 *p)\n> +{\n> +\treturn (be32_to_cpu(p[0]) & 0xffff) << 8 |\n> +\t       (be32_to_cpu(p[1]) & 0xff000000) >> 24;\n> +}\n> +\n> +static u32 gasp_version(__be32 *p)\n> +{\n> +\treturn be32_to_cpu(p[1]) & 0xffffff;\n> +}\n> +\n>  static void fwnet_receive_broadcast(struct fw_iso_context *context,\n>  \t\tu32 cycle, size_t header_length, void *header, void *data)\n>  {\n> @@ -744,9 +771,6 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,\n>  \t__be32 *buf_ptr;\n>  \tint retval;\n>  \tu32 length;\n> -\tu16 source_node_id;\n> -\tu32 specifier_id;\n> -\tu32 ver;\n>  \tunsigned long offset;\n>  \tunsigned long flags;\n>  \n> @@ -763,22 +787,17 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,\n>  \n>  \tspin_unlock_irqrestore(&dev->lock, flags);\n>  \n> -\tspecifier_id =    (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8\n> -\t\t\t| (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;\n> -\tver = be32_to_cpu(buf_ptr[1]) & 0xffffff;\n> -\tsource_node_id = be32_to_cpu(buf_ptr[0]) >> 16;\n> -\n> -\tif (specifier_id == IANA_SPECIFIER_ID &&\n> -\t    (ver == RFC2734_SW_VERSION\n> +\tif (length > IEEE1394_GASP_HDR_SIZE &&\n> +\t    gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&\n> +\t    (gasp_version(buf_ptr) == RFC2734_SW_VERSION\n>  #if IS_ENABLED(CONFIG_IPV6)\n> -\t     || ver == RFC3146_SW_VERSION\n> +\t     || gasp_version(buf_ptr) == RFC3146_SW_VERSION\n>  #endif\n> -\t    )) {\n> -\t\tbuf_ptr += 2;\n> -\t\tlength -= IEEE1394_GASP_HDR_SIZE;\n> -\t\tfwnet_incoming_packet(dev, buf_ptr, length, source_node_id,\n> +\t    ))\n> +\t\tfwnet_incoming_packet(dev, buf_ptr + 2,\n> +\t\t\t\t      length - IEEE1394_GASP_HDR_SIZE,\n> +\t\t\t\t      gasp_source_id(buf_ptr),\n>  \t\t\t\t      context->card->generation, true);\n> -\t}\n>  \n>  \tpacket.payload_length = dev->rcv_buffer_size;\n>  \tpacket.interrupt = 1;\n> \nApplied to Trusty master-next","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xtxVq58bDz9sxR;\n\tFri, 15 Sep 2017 23:45:39 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1dsqw3-0002KN-Rk; Fri, 15 Sep 2017 13:45:35 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <stefan.bader@canonical.com>)\n\tid 1dsqw2-0002K4-Ns\n\tfor kernel-team@lists.ubuntu.com; Fri, 15 Sep 2017 13:45:34 +0000","from 1.general.smb.uk.vpn ([10.172.193.28])\n\tby youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <stefan.bader@canonical.com>)\n\tid 1dsqw2-0005eL-Fs\n\tfor kernel-team@lists.ubuntu.com; Fri, 15 Sep 2017 13:45:34 +0000"],"Subject":"APPLIED T: [Trusty SRU][CVE-2016-8633][PATCH] firewire: net: guard\n\tagainst rx buffer overflows","To":"kernel-team@lists.ubuntu.com","References":"<20170907130233.30902-1-kleber.souza@canonical.com>","From":"Stefan Bader <stefan.bader@canonical.com>","Message-ID":"<5d2be20c-5fab-4542-f393-3511f8322585@canonical.com>","Date":"Fri, 15 Sep 2017 15:45:33 +0200","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.2.1","MIME-Version":"1.0","In-Reply-To":"<20170907130233.30902-1-kleber.souza@canonical.com>","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"multipart/mixed;\n\tboundary=\"===============2309003032605357388==\"","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"}}]