From patchwork Thu Nov 30 16:48:01 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 843102
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3ynjyc4lQmz9t8J;
	Fri,  1 Dec 2017 03:48:24 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1eKS0P-0007AI-Ch; Thu, 30 Nov 2017 16:48:09 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1eKS0N-00079q-AZ
	for kernel-team@lists.ubuntu.com; Thu, 30 Nov 2017 16:48:07 +0000
Received: from mail-wr0-f200.google.com ([209.85.128.200])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1eKS0N-0004Fi-3I
	for kernel-team@lists.ubuntu.com; Thu, 30 Nov 2017 16:48:07 +0000
Received: by mail-wr0-f200.google.com with SMTP id g80so4148621wrd.17
	for <kernel-team@lists.ubuntu.com>;
	Thu, 30 Nov 2017 08:48:07 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=TlqHzfHxJOayTQaynY2Pf7p/8wwuOp5N1H3frTydMLY=;
	b=c6kDwRJ9yThIoFo6f08cgWgq9HAjfXLh3OnK65HCEfYDptg4tUhwIlEDQ50XgrNHCq
	AK17lYpMNDWj0jY2dRSJEyURbOkTimPz8MVXL4rtFPaUSOV1ib6+OMW1Y1inm639d5S/
	1764zbW+VdGkkrmgO2VUUWBssqnBormvCDmHT8FWNEHpDVAKVdk3F3i6E1iGqokgGsJX
	WTfp8qIILHuphSqzr21PMUKSMYY45gIVsgfYg7tpLSxt+kN0xSiMHlQnI8QRAI9awQnw
	OBRB9rkSIjMH0SC6xV+IKXT0xTtBHV7PHaPDc/DJG6qZYx3vFMZmrkq05x9iJmrXg0mz
	zY5g==
X-Gm-Message-State: AJaThX4I/oybW7uKZ96kv0rN1T09AQS1qK2v5DO3l7t6ZgSh0lL5R0Qh
	9e51w6eifwBdvJxpMwGDzUqfRkvzHHMhQzr2N0YCh3TsuwCVWyWV1pQUuoYMDf1OJHft0pUyXbI
	S/KnlbeDtXSlSIVILhnOOBBSgJcVliuONe3qSYiW84Q==
X-Received: by 10.80.171.89 with SMTP id t25mr13270453edc.224.1512060486612;
	Thu, 30 Nov 2017 08:48:06 -0800 (PST)
X-Google-Smtp-Source: 
 AGs4zMZSKbIK0Kr0cMekrjy5BOAR/YSuw99tH0gSfHho5wa+ctFPL0gw9laV368hRdfMbABUz/ugUA==
X-Received: by 10.80.171.89 with SMTP id t25mr13270430edc.224.1512060486393;
	Thu, 30 Nov 2017 08:48:06 -0800 (PST)
Received: from localhost ([2a02:8109:98c0:1604:d93c:6a88:7e3b:ea29])
	by smtp.gmail.com with ESMTPSA id
	e46sm3978940edb.93.2017.11.30.08.48.04
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Thu, 30 Nov 2017 08:48:05 -0800 (PST)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Trusty][Zesty][PATCH v2 1/2] ipv6: avoid overflow of offset in
	ip6_find_1stfragopt
Date: Thu, 30 Nov 2017 17:48:01 +0100
Message-Id: <20171130164802.29160-2-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20171130164802.29160-1-kleber.souza@canonical.com>
References: <20171130164802.29160-1-kleber.souza@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Sabrina Dubroca <sd@queasysnail.net>

In some cases, offset can overflow and can cause an infinite loop in
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.

This problem has been here since before the beginning of git history.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

CVE-2017-7542
(cherry picked from commit 6399f1fae4ec29fab5ec76070435555e256ca3a6)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 net/ipv6/output_core.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 3764254f4523..cb80a45cd2d6 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -43,7 +43,7 @@ EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
 
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 {
-	u16 offset = sizeof(struct ipv6hdr);
+	unsigned int offset = sizeof(struct ipv6hdr);
 	unsigned int packet_len = skb_tail_pointer(skb) -
 		skb_network_header(skb);
 	int found_rhdr = 0;
@@ -51,6 +51,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
 	while (offset <= packet_len) {
 		struct ipv6_opt_hdr *exthdr;
+		unsigned int len;
 
 		switch (**nexthdr) {
 
@@ -76,7 +77,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 
 		exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
 						 offset);
-		offset += ipv6_optlen(exthdr);
+		len = ipv6_optlen(exthdr);
+		if (len + offset >= IPV6_MAXPLEN)
+			return -EINVAL;
+		offset += len;
 		*nexthdr = &exthdr->nexthdr;
 	}