| Message ID | 20180109033019.5717-2-po-hsu.lin@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [CVE-2017-18017,Trusty,Zesty,1/1] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff | expand |
On 2018-01-09 11:30:19 , Po-Hsu Lin wrote: > From: Eric Dumazet <edumazet@google.com> > > CVE-2017-18017 > > Denys provided an awesome KASAN report pointing to an use > after free in xt_TCPMSS > > I have provided three patches to fix this issue, either in xt_TCPMSS or > in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible > impact. > > Signed-off-by: Eric Dumazet <edumazet@google.com> > Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3f081901) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > net/netfilter/xt_TCPMSS.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c > index e762de5..6531d70 100644 > --- a/net/netfilter/xt_TCPMSS.c > +++ b/net/netfilter/xt_TCPMSS.c > @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, > tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); > tcp_hdrlen = tcph->doff * 4; > > - if (len < tcp_hdrlen) > + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) > return -1; > > if (info->mss == XT_TCPMSS_CLAMP_PMTU) { > @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, > if (len > tcp_hdrlen) > return 0; > > + /* tcph->doff has 4 bits, do not wrap it to 0 */ > + if (tcp_hdrlen >= 15 * 4) > + return 0; > + > /* > * MSS Option not found ?! add it.. > */ NACK for Zesty because it's EOL. Ack for Trusty: Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
Acked-by: Kamal Mostafa <kamal@canonical.com>
On 09.01.2018 04:30, Po-Hsu Lin wrote: > From: Eric Dumazet <edumazet@google.com> > > CVE-2017-18017 > > Denys provided an awesome KASAN report pointing to an use > after free in xt_TCPMSS > > I have provided three patches to fix this issue, either in xt_TCPMSS or > in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible > impact. > > Signed-off-by: Eric Dumazet <edumazet@google.com> > Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3f081901) > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > net/netfilter/xt_TCPMSS.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c > index e762de5..6531d70 100644 > --- a/net/netfilter/xt_TCPMSS.c > +++ b/net/netfilter/xt_TCPMSS.c > @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, > tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); > tcp_hdrlen = tcph->doff * 4; > > - if (len < tcp_hdrlen) > + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) > return -1; > > if (info->mss == XT_TCPMSS_CLAMP_PMTU) { > @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, > if (len > tcp_hdrlen) > return 0; > > + /* tcph->doff has 4 bits, do not wrap it to 0 */ > + if (tcp_hdrlen >= 15 * 4) > + return 0; > + > /* > * MSS Option not found ?! add it.. > */ >
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index e762de5..6531d70 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); tcp_hdrlen = tcph->doff * 4; - if (len < tcp_hdrlen) + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) return -1; if (info->mss == XT_TCPMSS_CLAMP_PMTU) { @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, if (len > tcp_hdrlen) return 0; + /* tcph->doff has 4 bits, do not wrap it to 0 */ + if (tcp_hdrlen >= 15 * 4) + return 0; + /* * MSS Option not found ?! add it.. */