{"id":811003,"url":"http://patchwork.ozlabs.org/api/1.2/patches/811003/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170907130233.30902-1-kleber.souza@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.2/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170907130233.30902-1-kleber.souza@canonical.com>","list_archive_url":null,"date":"2017-09-07T13:02:33","name":"[Trusty,SRU,CVE-2016-8633] firewire: net: guard against rx buffer overflows","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"e4f88df72a7a8dcc2e02af02a4f82ed86431d5a1","submitter":{"id":71419,"url":"http://patchwork.ozlabs.org/api/1.2/people/71419/?format=json","name":"Kleber Sacilotto de Souza","email":"kleber.souza@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170907130233.30902-1-kleber.souza@canonical.com/mbox/","series":[{"id":1997,"url":"http://patchwork.ozlabs.org/api/1.2/series/1997/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=1997","date":"2017-09-07T13:02:33","name":"[Trusty,SRU,CVE-2016-8633] firewire: net: guard against rx buffer overflows","version":1,"mbox":"http://patchwork.ozlabs.org/series/1997/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/811003/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/811003/checks/","tags":{},"related":[],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=<UNKNOWN>)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xp0x23QWfz9sRY;\n\tThu,  7 Sep 2017 23:02:46 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1dpwS7-00077p-QF; Thu, 07 Sep 2017 13:02:39 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)\n\tid 1dpwS6-00077j-WA\n\tfor kernel-team@lists.ubuntu.com; Thu, 07 Sep 2017 13:02:38 +0000","from mail-wm0-f71.google.com ([74.125.82.71])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)\n\tid 1dpwS6-0003es-Oo\n\tfor kernel-team@lists.ubuntu.com; Thu, 07 Sep 2017 13:02:38 +0000","by mail-wm0-f71.google.com with SMTP id e64so1473476wmi.0\n\tfor <kernel-team@lists.ubuntu.com>;\n\tThu, 07 Sep 2017 06:02:38 -0700 (PDT)","from localhost (ip5f5bd015.dynamic.kabel-deutschland.de.\n\t[95.91.208.21]) by smtp.gmail.com with ESMTPSA id\n\tq5sm2085339edh.24.2017.09.07.06.02.35\n\tfor <kernel-team@lists.ubuntu.com>\n\t(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);\n\tThu, 07 Sep 2017 06:02:35 -0700 (PDT)"],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:subject:date:message-id;\n\tbh=9PmIl1ozgNJ4qvNywrwX58IoUXnfGy6Yc36/gu9id4M=;\n\tb=rT1j1YpGvrzmlXYrHfaphSzH/ss5Exjrr7pxWF4DbA+liuJgEOhpwuEDYLIJrGdNGb\n\tIEVAVsHMk2/PYitgcXEMScOeyQ89z4ZySYL/zk9Vp+3GOiX1Mtaz9jG8H9yOjLYLHK6b\n\tOJNUYVNO+DOXIPKEAJKtesqG0KY0hhd01+dWbRgrtyJgphR3a0cWTtbdHRoKY0oNBt8O\n\tOllwTCANAGeObBG0VmLDSl4gn641qJhUG9Fr0wQcnuyM0QtRRTNhxwsymEtBNi9iL87Q\n\tmCSqKfR/GOLedkXxWMdzRWftf26UwgwjcritpFem5ewzUimgjywhgNzFaZsvdX3hinvE\n\tY2bw==","X-Gm-Message-State":"AHPjjUgIHr+gQrPjn8gg23p4ps4xG0YYlwfh15e1XaEV0+hnrbmLy29u\n\tEzl+DHNxy0Yp22sjgMoTg8oORv9I52RBPMOZxHxxZ9Ucv/4uZ0OwmQ2+CefTL6+iTeJDV9BETbO\n\tmOERtJaU9+yihiCDgNSvihdYPs/rU3HOz","X-Received":["by 10.80.147.228 with SMTP id o91mr2372133eda.163.1504789357709; \n\tThu, 07 Sep 2017 06:02:37 -0700 (PDT)","by 10.80.147.228 with SMTP id o91mr2372079eda.163.1504789356597; \n\tThu, 07 Sep 2017 06:02:36 -0700 (PDT)"],"X-Google-Smtp-Source":"ADKCNb7yyRmzcnupZVDvUmlNIEG0If5AVX1V616ZahXCwrlyuo9vxSnWaBw+bZ6kDMv0M52tCMZKQQ==","From":"Kleber Sacilotto de Souza <kleber.souza@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[Trusty SRU][CVE-2016-8633][PATCH] firewire: net: guard against rx\n\tbuffer overflows","Date":"Thu,  7 Sep 2017 15:02:33 +0200","Message-Id":"<20170907130233.30902-1-kleber.souza@canonical.com>","X-Mailer":"git-send-email 2.14.1","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n\t<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: Stefan Richter <stefanr@s5r6.in-berlin.de>\n\nCVE-2016-8633\n\nThe IP-over-1394 driver firewire-net lacked input validation when\nhandling incoming fragmented datagrams.  A maliciously formed fragment\nwith a respectively large datagram_offset would cause a memcpy past the\ndatagram buffer.\n\nSo, drop any packets carrying a fragment with offset + length larger\nthan datagram_size.\n\nIn addition, ensure that\n  - GASP header, unfragmented encapsulation header, or fragment\n    encapsulation header actually exists before we access it,\n  - the encapsulated datagram or fragment is of nonzero size.\n\nReported-by: Eyal Itkin <eyal.itkin@gmail.com>\nReviewed-by: Eyal Itkin <eyal.itkin@gmail.com>\nFixes: CVE 2016-8633\nCc: stable@vger.kernel.org\nSigned-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>\n(cherry picked from commit 667121ace9dbafb368618dbabcf07901c962ddac)\nSigned-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>\n---\n\nNotes:\n    Only Trusty still needs the fix for this CVE. Cherry pick applies cleanly,\n    compile tested.\n    \n    Kleber\n\n drivers/firewire/net.c | 51 ++++++++++++++++++++++++++++++++++----------------\n 1 file changed, 35 insertions(+), 16 deletions(-)","diff":"diff --git a/drivers/firewire/net.c b/drivers/firewire/net.c\nindex 4af0a7bad7f2..641eeab43c57 100644\n--- a/drivers/firewire/net.c\n+++ b/drivers/firewire/net.c\n@@ -591,6 +591,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n \tint retval;\n \tu16 ether_type;\n \n+\tif (len <= RFC2374_UNFRAG_HDR_SIZE)\n+\t\treturn 0;\n+\n \thdr.w0 = be32_to_cpu(buf[0]);\n \tlf = fwnet_get_hdr_lf(&hdr);\n \tif (lf == RFC2374_HDR_UNFRAG) {\n@@ -615,7 +618,12 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n \t\treturn fwnet_finish_incoming_packet(net, skb, source_node_id,\n \t\t\t\t\t\t    is_broadcast, ether_type);\n \t}\n+\n \t/* A datagram fragment has been received, now the fun begins. */\n+\n+\tif (len <= RFC2374_FRAG_HDR_SIZE)\n+\t\treturn 0;\n+\n \thdr.w1 = ntohl(buf[1]);\n \tbuf += 2;\n \tlen -= RFC2374_FRAG_HDR_SIZE;\n@@ -629,6 +637,9 @@ static int fwnet_incoming_packet(struct fwnet_device *dev, __be32 *buf, int len,\n \tdatagram_label = fwnet_get_hdr_dgl(&hdr);\n \tdg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */\n \n+\tif (fg_off + len > dg_size)\n+\t\treturn 0;\n+\n \tspin_lock_irqsave(&dev->lock, flags);\n \n \tpeer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);\n@@ -735,6 +746,22 @@ static void fwnet_receive_packet(struct fw_card *card, struct fw_request *r,\n \tfw_send_response(card, r, rcode);\n }\n \n+static int gasp_source_id(__be32 *p)\n+{\n+\treturn be32_to_cpu(p[0]) >> 16;\n+}\n+\n+static u32 gasp_specifier_id(__be32 *p)\n+{\n+\treturn (be32_to_cpu(p[0]) & 0xffff) << 8 |\n+\t       (be32_to_cpu(p[1]) & 0xff000000) >> 24;\n+}\n+\n+static u32 gasp_version(__be32 *p)\n+{\n+\treturn be32_to_cpu(p[1]) & 0xffffff;\n+}\n+\n static void fwnet_receive_broadcast(struct fw_iso_context *context,\n \t\tu32 cycle, size_t header_length, void *header, void *data)\n {\n@@ -744,9 +771,6 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,\n \t__be32 *buf_ptr;\n \tint retval;\n \tu32 length;\n-\tu16 source_node_id;\n-\tu32 specifier_id;\n-\tu32 ver;\n \tunsigned long offset;\n \tunsigned long flags;\n \n@@ -763,22 +787,17 @@ static void fwnet_receive_broadcast(struct fw_iso_context *context,\n \n \tspin_unlock_irqrestore(&dev->lock, flags);\n \n-\tspecifier_id =    (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8\n-\t\t\t| (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;\n-\tver = be32_to_cpu(buf_ptr[1]) & 0xffffff;\n-\tsource_node_id = be32_to_cpu(buf_ptr[0]) >> 16;\n-\n-\tif (specifier_id == IANA_SPECIFIER_ID &&\n-\t    (ver == RFC2734_SW_VERSION\n+\tif (length > IEEE1394_GASP_HDR_SIZE &&\n+\t    gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&\n+\t    (gasp_version(buf_ptr) == RFC2734_SW_VERSION\n #if IS_ENABLED(CONFIG_IPV6)\n-\t     || ver == RFC3146_SW_VERSION\n+\t     || gasp_version(buf_ptr) == RFC3146_SW_VERSION\n #endif\n-\t    )) {\n-\t\tbuf_ptr += 2;\n-\t\tlength -= IEEE1394_GASP_HDR_SIZE;\n-\t\tfwnet_incoming_packet(dev, buf_ptr, length, source_node_id,\n+\t    ))\n+\t\tfwnet_incoming_packet(dev, buf_ptr + 2,\n+\t\t\t\t      length - IEEE1394_GASP_HDR_SIZE,\n+\t\t\t\t      gasp_source_id(buf_ptr),\n \t\t\t\t      context->card->generation, true);\n-\t}\n \n \tpacket.payload_length = dev->rcv_buffer_size;\n \tpacket.interrupt = 1;\n","prefixes":["Trusty","SRU","CVE-2016-8633"]}