{"id":810547,"url":"http://patchwork.ozlabs.org/api/patches/810547/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170906120208.10561-2-kleber.souza@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170906120208.10561-2-kleber.souza@canonical.com>","list_archive_url":null,"date":"2017-09-06T12:02:08","name":"[Trusty,SRU,CVE-2016-8632,1/1] tipc: check minimum bearer MTU","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"289616747894cade7fe7b9fb874c1d3ca7626ca4","submitter":{"id":71419,"url":"http://patchwork.ozlabs.org/api/people/71419/?format=json","name":"Kleber Sacilotto de Souza","email":"kleber.souza@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170906120208.10561-2-kleber.souza@canonical.com/mbox/","series":[{"id":1779,"url":"http://patchwork.ozlabs.org/api/series/1779/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=1779","date":"2017-09-06T12:02:07","name":"Fix for CVE-2016-8632","version":1,"mbox":"http://patchwork.ozlabs.org/series/1779/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/810547/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/810547/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3xnMfD6XqVz9sBZ;\n\tWed, 6 Sep 2017 22:02:44 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dpZ2W-00013r-Up; Wed, 06 Sep 2017 12:02:40 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dpZ2M-0000u8-RM\n\tfor kernel-team@lists.ubuntu.com; Wed, 06 Sep 2017 12:02:30 +0000","from mail-wm0-f71.google.com ([74.125.82.71])\n\tby youngberry.canonical.com with esmtps\n\t(TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.76) (envelope-from )\n\tid 1dpZ2M-0006b1-CT\n\tfor kernel-team@lists.ubuntu.com; Wed, 06 Sep 2017 12:02:30 +0000","by mail-wm0-f71.google.com with SMTP id f4so6037303wmh.7\n\tfor ;\n\tWed, 06 Sep 2017 05:02:30 -0700 (PDT)","from localhost (pd95c76fe.dip0.t-ipconnect.de. [217.92.118.254])\n\tby smtp.gmail.com with ESMTPSA id\n\tb196sm906898wmd.43.2017.09.06.05.02.25\n\tfor \n\t(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);\n\tWed, 06 Sep 2017 05:02:28 -0700 (PDT)"],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:subject:date:message-id:in-reply-to\n\t:references:mime-version:content-transfer-encoding;\n\tbh=LUH/wIzdJ8EjBCtRzwBkV7gf62lv2rofO5CJ3VpxKm0=;\n\tb=BbAExMvFgzw7Wkf7u8zoDKzybcB8JHK/Z0WlGjf5+Gg4bW2zYTNj/K7SVGBBU2Tyja\n\tlu3x2NWxMLv1fXaI6pXGvtwrZ/3OGmZGKFC9ZA6b7kjEy2aUOu3ay7axNlLNnsBGNfA+\n\t3sYo8R9KdO1J/DpScGi4gc+rpru5wff9u7KwWurhxe0l0f+Xcz7PIWfjSAcproDF7LjU\n\tLn5rU1MidZdb21hpDXE7GyfUo6idqh1fTeNt+MmPXmb7/ga+orowF/ql4y/OC6GqE4b1\n\tPsroYlFjnuU8W4BSDktVBREZxUKMkLP1a61xDMJ7mNsMQQfX1C7VNeD75sHBI9H/RitK\n\tgoWw==","X-Gm-Message-State":"AHPjjUivK4IFM1IXrlyyNR2B5DtqXcAKAJtHWt9g1LsFyoeZRMSg5MSo\n\tSltgLrRnwXHEHoS1BI0x71xWFQcLCux43YT2eW3PpcMe5FsiHeOoaWFelAs+LXVj/igp8krjA9W\n\tGAq/HmKpWS2mZYOjNY86MgbjPUmE5y8Ve","X-Received":["by 10.223.139.146 with SMTP id o18mr1616674wra.236.1504699349753;\n\tWed, 06 Sep 2017 05:02:29 -0700 (PDT)","by 10.223.139.146 with SMTP id o18mr1616662wra.236.1504699349488;\n\tWed, 06 Sep 2017 05:02:29 -0700 (PDT)"],"X-Google-Smtp-Source":"ADKCNb5Cgis7/ojHz2ZkrQQnwZNt8z3ftQAWq2xG92yGi5bb9ll+2GGQrUK78VwkjmyApmrjnWMtrA==","From":"Kleber Sacilotto de Souza ","To":"kernel-team@lists.ubuntu.com","Subject":"[Trusty SRU][CVE-2016-8632][PATCH 1/1] tipc: check minimum bearer\n\tMTU","Date":"Wed, 6 Sep 2017 14:02:08 +0200","Message-Id":"<20170906120208.10561-2-kleber.souza@canonical.com>","X-Mailer":"git-send-email 2.14.1","In-Reply-To":"<20170906120208.10561-1-kleber.souza@canonical.com>","References":"<20170906120208.10561-1-kleber.souza@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "},"content":"From: Michal Kubeček \n\nQian Zhang (张谦) reported a potential socket buffer overflow in\ntipc_msg_build() which is also known as CVE-2016-8632: due to\ninsufficient checks, a buffer overflow can occur if MTU is too short for\neven tipc headers. As anyone can set device MTU in a user/net namespace,\nthis issue can be abused by a regular user.\n\nAs agreed in the discussion on Ben Hutchings' original patch, we should\ncheck the MTU at the moment a bearer is attached rather than for each\nprocessed packet. We also need to repeat the check when bearer MTU is\nadjusted to new device MTU. UDP case also needs a check to avoid\noverflow when calculating bearer MTU.\n\nFixes: b97bf3fd8f6a (\"[TIPC] Initial merge\")\nSigned-off-by: Michal Kubecek \nReported-by: Qian Zhang (张谦) \nAcked-by: Ying Xue \nSigned-off-by: David S. Miller \n\nCVE-2016-8632\n(backported from commit 3de81b758853f0b29c61e246679d20b513c4cfec)\n[kleber:\n - Adjust context\n - Duplicate macro definitions in bearer.h to avoid mutual inclusion\n - Duplicate bearer changes for eth and ib media\n - Drop changes in udp_media.c]\nSigned-off-by: Kleber Sacilotto de Souza \n---\n net/tipc/bearer.h | 16 ++++++++++++++++\n net/tipc/eth_media.c | 11 +++++++++--\n net/tipc/ib_media.c | 11 +++++++++--\n 3 files changed, 34 insertions(+), 4 deletions(-)","diff":"diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h\nindex e5e04be6fffa..cc8bc3b7cb6f 100644\n--- a/net/tipc/bearer.h\n+++ b/net/tipc/bearer.h\n@@ -58,6 +58,13 @@\n #define TIPC_MEDIA_TYPE_ETH\t1\n #define TIPC_MEDIA_TYPE_IB\t2\n \n+/* Message header sizes from msg.h - duplicated to avoid mutual inclusion */\n+#define INT_H_SIZE 40\n+#define MAX_H_SIZE 60\n+\n+/* minimum bearer MTU */\n+#define TIPC_MIN_BEARER_MTU\t(MAX_H_SIZE + INT_H_SIZE)\n+\n /**\n * struct tipc_media_addr - destination address used by TIPC bearers\n * @value: address info (format defined by media)\n@@ -210,4 +217,13 @@ static inline void tipc_bearer_send(struct tipc_bearer *b, struct sk_buff *buf,\n \tb->media->send_msg(buf, b, dest);\n }\n \n+/* check if device MTU is too low for tipc headers */\n+static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve)\n+{\n+\tif (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve)\n+\t\treturn false;\n+\tnetdev_warn(dev, \"MTU too low for tipc bearer\\n\");\n+\treturn true;\n+}\n+\n #endif\t/* _TIPC_BEARER_H */\ndiff --git a/net/tipc/eth_media.c b/net/tipc/eth_media.c\nindex f80d59f5a161..3fe074af15ec 100644\n--- a/net/tipc/eth_media.c\n+++ b/net/tipc/eth_media.c\n@@ -180,6 +180,10 @@ static int enable_media(struct tipc_bearer *tb_ptr)\n \tdev = dev_get_by_name(&init_net, driver_name);\n \tif (!dev)\n \t\treturn -ENODEV;\n+\tif (tipc_mtu_bad(dev, 0)) {\n+\t\tdev_put(dev);\n+\t\treturn -EINVAL;\n+\t}\n \n \t/* Create Ethernet bearer for device */\n \teb_ptr->dev = dev;\n@@ -258,8 +262,6 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt,\n \tif (!eb_ptr->bearer)\n \t\treturn NOTIFY_DONE;\t\t/* bearer had been disabled */\n \n-\teb_ptr->bearer->mtu = dev->mtu;\n-\n \tswitch (evt) {\n \tcase NETDEV_CHANGE:\n \t\tif (netif_carrier_ok(dev))\n@@ -274,6 +276,11 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt,\n \t\ttipc_block_bearer(eb_ptr->bearer);\n \t\tbreak;\n \tcase NETDEV_CHANGEMTU:\n+\t\tif (tipc_mtu_bad(dev, 0)) {\n+\t\t\ttipc_disable_bearer(eb_ptr->bearer->name);\n+\t\t\tbreak;\n+\t\t}\n+\t\teb_ptr->bearer->mtu = dev->mtu;\n \tcase NETDEV_CHANGEADDR:\n \t\ttipc_block_bearer(eb_ptr->bearer);\n \t\ttipc_continue(eb_ptr->bearer);\ndiff --git a/net/tipc/ib_media.c b/net/tipc/ib_media.c\nindex c13989297464..c34380b9357c 100644\n--- a/net/tipc/ib_media.c\n+++ b/net/tipc/ib_media.c\n@@ -173,6 +173,10 @@ static int enable_media(struct tipc_bearer *tb_ptr)\n \tdev = dev_get_by_name(&init_net, driver_name);\n \tif (!dev)\n \t\treturn -ENODEV;\n+\tif (tipc_mtu_bad(dev, 0)) {\n+\t\tdev_put(dev);\n+\t\treturn -EINVAL;\n+\t}\n \n \t/* Create InfiniBand bearer for device */\n \tib_ptr->dev = dev;\n@@ -251,8 +255,6 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt,\n \tif (!ib_ptr->bearer)\n \t\treturn NOTIFY_DONE;\t\t/* bearer had been disabled */\n \n-\tib_ptr->bearer->mtu = dev->mtu;\n-\n \tswitch (evt) {\n \tcase NETDEV_CHANGE:\n \t\tif (netif_carrier_ok(dev))\n@@ -267,6 +269,11 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt,\n \t\ttipc_block_bearer(ib_ptr->bearer);\n \t\tbreak;\n \tcase NETDEV_CHANGEMTU:\n+\t\tif (tipc_mtu_bad(dev, 0)) {\n+\t\t\ttipc_disable_bearer(ib_ptr->bearer->name);\n+\t\t\tbreak;\n+\t\t}\n+\t\tib_ptr->bearer->mtu = dev->mtu;\n \tcase NETDEV_CHANGEADDR:\n \t\ttipc_block_bearer(ib_ptr->bearer);\n \t\ttipc_continue(ib_ptr->bearer);\n","prefixes":["Trusty","SRU","CVE-2016-8632","1/1"]}