From patchwork Tue Jan 9 03:30:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 857202 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zFyMg0GKBz9sPk; Tue, 9 Jan 2018 14:30:39 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eYkcQ-0002oW-Ti; Tue, 09 Jan 2018 03:30:30 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eYkcP-0002ny-Es for kernel-team@lists.ubuntu.com; Tue, 09 Jan 2018 03:30:29 +0000 Received: from mail-pg0-f70.google.com ([74.125.83.70]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eYkcP-0006SL-3D for kernel-team@lists.ubuntu.com; Tue, 09 Jan 2018 03:30:29 +0000 Received: by mail-pg0-f70.google.com with SMTP id i2so7767724pgq.8 for ; Mon, 08 Jan 2018 19:30:29 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=gLHGcZY0oxp/Tq5AHBEBY9v6H0vPIF8v5l6P9lsQRvs=; b=KxsMBTeIFHQWPvVLoTmjkbJdtWANw8pFw8CrUqO42J777A3dqr0bqPAxeTqwBIAddE GOu3H7Xjgl6CAGKhwqaWfUlKerLyN4jdkwYvyNTFlG9E2ynjt8jyeJxu3sz9xDik4t+q HZ7xD67aiy7G+6H3D/8GWbQdqUvpqtKjytRKWZ/5G+2RJrrwZA8fwyXZevJLns5QRzsi 0w7MT0TFD/cMyc9blN00jzehn00wyc9APZ+mwFENYFEF4N1sFZ4q8GQm4SV15bDwQmH8 M26YGtWO7y9nn4AlPRuFpAgsuqaU7eV/YePzqt7KEO8Wu3rC6bz/VMlMlfI+F39Prc/N KhSw== X-Gm-Message-State: AKGB3mJ9p7jM2oArGZlOLKCAsJIYY6+U/gQ7ElYmEDCXq6a2aRcAhSh7 pVPjpVNI3GzlFOgemSdhDaEsWKMJjRQfcO71XfV6G8MNHzU5AWVFBk2wmead4yPsKhgAqiMv8Q/ HV6gST4vM2rytKvVhGEj1WOxgYHe9XkfA0dYyeFxh X-Received: by 10.84.164.104 with SMTP id m37mr4687308plg.398.1515468627689; Mon, 08 Jan 2018 19:30:27 -0800 (PST) X-Google-Smtp-Source: ACJfBouj3B1QNxAyFw+jJY++JM+EC5ttsfnrKCoZO354p1//ChxCczgrNBPLwNhEV44aASzV+h1yTQ== X-Received: by 10.84.164.104 with SMTP id m37mr4687293plg.398.1515468627489; Mon, 08 Jan 2018 19:30:27 -0800 (PST) Received: from localhost.localdomain ([175.41.48.77]) by smtp.gmail.com with ESMTPSA id 75sm31771402pfo.103.2018.01.08.19.30.26 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jan 2018 19:30:26 -0800 (PST) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [CVE-2017-18017][Trusty][Zesty][PATCH 1/1] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff Date: Tue, 9 Jan 2018 11:30:19 +0800 Message-Id: <20180109033019.5717-2-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180109033019.5717-1-po-hsu.lin@canonical.com> References: <20180109033019.5717-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Dumazet CVE-2017-18017 Denys provided an awesome KASAN report pointing to an use after free in xt_TCPMSS I have provided three patches to fix this issue, either in xt_TCPMSS or in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible impact. Signed-off-by: Eric Dumazet Reported-by: Denys Fedoryshchenko Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 2638fd0f92d4397884fd991d8f4925cb3f081901) Signed-off-by: Po-Hsu Lin Acked-by: Khalid Elmously Acked-by: Kamal Mostafa --- net/netfilter/xt_TCPMSS.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index e762de5..6531d70 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -104,7 +104,7 @@ tcpmss_mangle_packet(struct sk_buff *skb, tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); tcp_hdrlen = tcph->doff * 4; - if (len < tcp_hdrlen) + if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr)) return -1; if (info->mss == XT_TCPMSS_CLAMP_PMTU) { @@ -156,6 +156,10 @@ tcpmss_mangle_packet(struct sk_buff *skb, if (len > tcp_hdrlen) return 0; + /* tcph->doff has 4 bits, do not wrap it to 0 */ + if (tcp_hdrlen >= 15 * 4) + return 0; + /* * MSS Option not found ?! add it.. */