From patchwork Wed Sep 6 12:02:08 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kleber Sacilotto de Souza X-Patchwork-Id: 810547 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3xnMfD6XqVz9sBZ; Wed, 6 Sep 2017 22:02:44 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1dpZ2W-00013r-Up; Wed, 06 Sep 2017 12:02:40 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1dpZ2M-0000u8-RM for kernel-team@lists.ubuntu.com; Wed, 06 Sep 2017 12:02:30 +0000 Received: from mail-wm0-f71.google.com ([74.125.82.71]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1dpZ2M-0006b1-CT for kernel-team@lists.ubuntu.com; Wed, 06 Sep 2017 12:02:30 +0000 Received: by mail-wm0-f71.google.com with SMTP id f4so6037303wmh.7 for ; Wed, 06 Sep 2017 05:02:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=LUH/wIzdJ8EjBCtRzwBkV7gf62lv2rofO5CJ3VpxKm0=; b=BbAExMvFgzw7Wkf7u8zoDKzybcB8JHK/Z0WlGjf5+Gg4bW2zYTNj/K7SVGBBU2Tyja lu3x2NWxMLv1fXaI6pXGvtwrZ/3OGmZGKFC9ZA6b7kjEy2aUOu3ay7axNlLNnsBGNfA+ 3sYo8R9KdO1J/DpScGi4gc+rpru5wff9u7KwWurhxe0l0f+Xcz7PIWfjSAcproDF7LjU Ln5rU1MidZdb21hpDXE7GyfUo6idqh1fTeNt+MmPXmb7/ga+orowF/ql4y/OC6GqE4b1 PsroYlFjnuU8W4BSDktVBREZxUKMkLP1a61xDMJ7mNsMQQfX1C7VNeD75sHBI9H/RitK goWw== X-Gm-Message-State: AHPjjUivK4IFM1IXrlyyNR2B5DtqXcAKAJtHWt9g1LsFyoeZRMSg5MSo SltgLrRnwXHEHoS1BI0x71xWFQcLCux43YT2eW3PpcMe5FsiHeOoaWFelAs+LXVj/igp8krjA9W GAq/HmKpWS2mZYOjNY86MgbjPUmE5y8Ve X-Received: by 10.223.139.146 with SMTP id o18mr1616674wra.236.1504699349753; Wed, 06 Sep 2017 05:02:29 -0700 (PDT) X-Google-Smtp-Source: ADKCNb5Cgis7/ojHz2ZkrQQnwZNt8z3ftQAWq2xG92yGi5bb9ll+2GGQrUK78VwkjmyApmrjnWMtrA== X-Received: by 10.223.139.146 with SMTP id o18mr1616662wra.236.1504699349488; Wed, 06 Sep 2017 05:02:29 -0700 (PDT) Received: from localhost (pd95c76fe.dip0.t-ipconnect.de. [217.92.118.254]) by smtp.gmail.com with ESMTPSA id b196sm906898wmd.43.2017.09.06.05.02.25 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 06 Sep 2017 05:02:28 -0700 (PDT) From: Kleber Sacilotto de Souza To: kernel-team@lists.ubuntu.com Subject: [Trusty SRU][CVE-2016-8632][PATCH 1/1] tipc: check minimum bearer MTU Date: Wed, 6 Sep 2017 14:02:08 +0200 Message-Id: <20170906120208.10561-2-kleber.souza@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20170906120208.10561-1-kleber.souza@canonical.com> References: <20170906120208.10561-1-kleber.souza@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Michal Kubeček Qian Zhang (张谦) reported a potential socket buffer overflow in tipc_msg_build() which is also known as CVE-2016-8632: due to insufficient checks, a buffer overflow can occur if MTU is too short for even tipc headers. As anyone can set device MTU in a user/net namespace, this issue can be abused by a regular user. As agreed in the discussion on Ben Hutchings' original patch, we should check the MTU at the moment a bearer is attached rather than for each processed packet. We also need to repeat the check when bearer MTU is adjusted to new device MTU. UDP case also needs a check to avoid overflow when calculating bearer MTU. Fixes: b97bf3fd8f6a ("[TIPC] Initial merge") Signed-off-by: Michal Kubecek Reported-by: Qian Zhang (张谦) Acked-by: Ying Xue Signed-off-by: David S. Miller CVE-2016-8632 (backported from commit 3de81b758853f0b29c61e246679d20b513c4cfec) [kleber: - Adjust context - Duplicate macro definitions in bearer.h to avoid mutual inclusion - Duplicate bearer changes for eth and ib media - Drop changes in udp_media.c] Signed-off-by: Kleber Sacilotto de Souza Acked-by: Stefan Bader Acked-by: Colin Ian King --- net/tipc/bearer.h | 16 ++++++++++++++++ net/tipc/eth_media.c | 11 +++++++++-- net/tipc/ib_media.c | 11 +++++++++-- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h index e5e04be6fffa..cc8bc3b7cb6f 100644 --- a/net/tipc/bearer.h +++ b/net/tipc/bearer.h @@ -58,6 +58,13 @@ #define TIPC_MEDIA_TYPE_ETH 1 #define TIPC_MEDIA_TYPE_IB 2 +/* Message header sizes from msg.h - duplicated to avoid mutual inclusion */ +#define INT_H_SIZE 40 +#define MAX_H_SIZE 60 + +/* minimum bearer MTU */ +#define TIPC_MIN_BEARER_MTU (MAX_H_SIZE + INT_H_SIZE) + /** * struct tipc_media_addr - destination address used by TIPC bearers * @value: address info (format defined by media) @@ -210,4 +217,13 @@ static inline void tipc_bearer_send(struct tipc_bearer *b, struct sk_buff *buf, b->media->send_msg(buf, b, dest); } +/* check if device MTU is too low for tipc headers */ +static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve) +{ + if (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve) + return false; + netdev_warn(dev, "MTU too low for tipc bearer\n"); + return true; +} + #endif /* _TIPC_BEARER_H */ diff --git a/net/tipc/eth_media.c b/net/tipc/eth_media.c index f80d59f5a161..3fe074af15ec 100644 --- a/net/tipc/eth_media.c +++ b/net/tipc/eth_media.c @@ -180,6 +180,10 @@ static int enable_media(struct tipc_bearer *tb_ptr) dev = dev_get_by_name(&init_net, driver_name); if (!dev) return -ENODEV; + if (tipc_mtu_bad(dev, 0)) { + dev_put(dev); + return -EINVAL; + } /* Create Ethernet bearer for device */ eb_ptr->dev = dev; @@ -258,8 +262,6 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt, if (!eb_ptr->bearer) return NOTIFY_DONE; /* bearer had been disabled */ - eb_ptr->bearer->mtu = dev->mtu; - switch (evt) { case NETDEV_CHANGE: if (netif_carrier_ok(dev)) @@ -274,6 +276,11 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt, tipc_block_bearer(eb_ptr->bearer); break; case NETDEV_CHANGEMTU: + if (tipc_mtu_bad(dev, 0)) { + tipc_disable_bearer(eb_ptr->bearer->name); + break; + } + eb_ptr->bearer->mtu = dev->mtu; case NETDEV_CHANGEADDR: tipc_block_bearer(eb_ptr->bearer); tipc_continue(eb_ptr->bearer); diff --git a/net/tipc/ib_media.c b/net/tipc/ib_media.c index c13989297464..c34380b9357c 100644 --- a/net/tipc/ib_media.c +++ b/net/tipc/ib_media.c @@ -173,6 +173,10 @@ static int enable_media(struct tipc_bearer *tb_ptr) dev = dev_get_by_name(&init_net, driver_name); if (!dev) return -ENODEV; + if (tipc_mtu_bad(dev, 0)) { + dev_put(dev); + return -EINVAL; + } /* Create InfiniBand bearer for device */ ib_ptr->dev = dev; @@ -251,8 +255,6 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt, if (!ib_ptr->bearer) return NOTIFY_DONE; /* bearer had been disabled */ - ib_ptr->bearer->mtu = dev->mtu; - switch (evt) { case NETDEV_CHANGE: if (netif_carrier_ok(dev)) @@ -267,6 +269,11 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt, tipc_block_bearer(ib_ptr->bearer); break; case NETDEV_CHANGEMTU: + if (tipc_mtu_bad(dev, 0)) { + tipc_disable_bearer(ib_ptr->bearer->name); + break; + } + ib_ptr->bearer->mtu = dev->mtu; case NETDEV_CHANGEADDR: tipc_block_bearer(ib_ptr->bearer); tipc_continue(ib_ptr->bearer);