[CVE-2017-18017,Trusty,Zesty,1/1] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff

Message ID 20180109033019.5717-2-po-hsu.lin@canonical.com
State New
Headers show
Series
  • [CVE-2017-18017,Trusty,Zesty,1/1] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
Related show

Commit Message

Po-Hsu Lin Jan. 9, 2018, 3:30 a.m.
From: Eric Dumazet <edumazet@google.com>

CVE-2017-18017

Denys provided an awesome KASAN report pointing to an use
after free in xt_TCPMSS

I have provided three patches to fix this issue, either in xt_TCPMSS or
in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
impact.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3f081901)
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 net/netfilter/xt_TCPMSS.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Khaled Elmously Jan. 30, 2018, 6:22 a.m. | #1
On 2018-01-09 11:30:19 , Po-Hsu Lin wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> CVE-2017-18017
> 
> Denys provided an awesome KASAN report pointing to an use
> after free in xt_TCPMSS
> 
> I have provided three patches to fix this issue, either in xt_TCPMSS or
> in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
> impact.
> 
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3f081901)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
> ---
>  net/netfilter/xt_TCPMSS.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
> index e762de5..6531d70 100644
> --- a/net/netfilter/xt_TCPMSS.c
> +++ b/net/netfilter/xt_TCPMSS.c
> @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
>  	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
>  	tcp_hdrlen = tcph->doff * 4;
>  
> -	if (len < tcp_hdrlen)
> +	if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
>  		return -1;
>  
>  	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
> @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
>  	if (len > tcp_hdrlen)
>  		return 0;
>  
> +	/* tcph->doff has 4 bits, do not wrap it to 0 */
> +	if (tcp_hdrlen >= 15 * 4)
> +		return 0;
> +
>  	/*
>  	 * MSS Option not found ?! add it..
>  	 */

NACK for Zesty because it's EOL.

Ack for Trusty:
Acked-by: Khalid Elmously <khalid.elmously@canonical.com>
Kamal Mostafa Jan. 31, 2018, 6:59 p.m. | #2
Acked-by: Kamal Mostafa <kamal@canonical.com>
Stefan Bader Feb. 2, 2018, 9:57 a.m. | #3
On 09.01.2018 04:30, Po-Hsu Lin wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> CVE-2017-18017
> 
> Denys provided an awesome KASAN report pointing to an use
> after free in xt_TCPMSS
> 
> I have provided three patches to fix this issue, either in xt_TCPMSS or
> in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
> impact.
> 
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3f081901)
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
> ---
>  net/netfilter/xt_TCPMSS.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
> index e762de5..6531d70 100644
> --- a/net/netfilter/xt_TCPMSS.c
> +++ b/net/netfilter/xt_TCPMSS.c
> @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb,
>  	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
>  	tcp_hdrlen = tcph->doff * 4;
>  
> -	if (len < tcp_hdrlen)
> +	if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
>  		return -1;
>  
>  	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
> @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb,
>  	if (len > tcp_hdrlen)
>  		return 0;
>  
> +	/* tcph->doff has 4 bits, do not wrap it to 0 */
> +	if (tcp_hdrlen >= 15 * 4)
> +		return 0;
> +
>  	/*
>  	 * MSS Option not found ?! add it..
>  	 */
>

Patch

diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index e762de5..6531d70 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -104,7 +104,7 @@  tcpmss_mangle_packet(struct sk_buff *skb,
 	tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
 	tcp_hdrlen = tcph->doff * 4;
 
-	if (len < tcp_hdrlen)
+	if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
 		return -1;
 
 	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -156,6 +156,10 @@  tcpmss_mangle_packet(struct sk_buff *skb,
 	if (len > tcp_hdrlen)
 		return 0;
 
+	/* tcph->doff has 4 bits, do not wrap it to 0 */
+	if (tcp_hdrlen >= 15 * 4)
+		return 0;
+
 	/*
 	 * MSS Option not found ?! add it..
 	 */