[linux] 01/01: Add follow-up fixes for CVE-2017-9074

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Jun 8 14:44:29 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 3e771a1f1758c0dd529e232bdf9a6ad8ba64ac1b
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Jun 8 15:44:09 2017 +0100

    Add follow-up fixes for CVE-2017-9074
---
 debian/changelog                                   |  2 ++
 .../all/ipv6-fix-leak-in-ipv6_gso_segment.patch    | 30 ++++++++++++++++
 ...andle-errors-reported-by-xfrm6_find_1stfr.patch | 40 ++++++++++++++++++++++
 debian/patches/series                              |  2 ++
 4 files changed, 74 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 5da0d83..d4315dc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,8 @@ linux (3.16.43-2+deb8u1) UNRELEASED; urgency=medium
   * USB: serial: omninet: fix reference leaks at open (CVE-2017-8925)
   * ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074)
   * ipv6: Check ip6_find_1stfragopt() return value properly.
+  * ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
+  * ipv6: Fix leak in ipv6_gso_segment().
   * sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075)
   * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076,
     CVE-2017-9077)
diff --git a/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch b/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
new file mode 100644
index 0000000..6ba3fc2
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
@@ -0,0 +1,30 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Sun, 4 Jun 2017 21:41:10 -0400
+Subject: ipv6: Fix leak in ipv6_gso_segment().
+Origin: https://git.kernel.org/linus/e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
+
+If ip6_find_1stfragopt() fails and we return an error we have to free
+up 'segs' because nobody else is going to.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Reported-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/ip6_offload.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -144,8 +144,10 @@ static struct sk_buff *ipv6_gso_segment(
+ 
+ 		if (udpfrag) {
+ 			int err = ip6_find_1stfragopt(skb, &prevhdr);
+-			if (err < 0)
++			if (err < 0) {
++				kfree_skb_list(segs);
+ 				return ERR_PTR(err);
++			}
+ 			fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
+ 			fptr->frag_off = htons(offset);
+ 			if (skb->next != NULL)
diff --git a/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch b/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
new file mode 100644
index 0000000..02ea18f
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
@@ -0,0 +1,40 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Wed, 31 May 2017 13:15:41 +0100
+Subject: ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
+Origin: https://git.kernel.org/linus/6e80ac5cc992ab6256c3dae87f7e57db15e1a58c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
+
+xfrm6_find_1stfragopt() may now return an error code and we must
+not treat it as a length.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Acked-by: Craig Gallek <kraig at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/xfrm6_mode_ro.c        | 2 ++
+ net/ipv6/xfrm6_mode_transport.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/net/ipv6/xfrm6_mode_ro.c
++++ b/net/ipv6/xfrm6_mode_ro.c
+@@ -47,6 +47,8 @@ static int xfrm6_ro_output(struct xfrm_s
+ 	iph = ipv6_hdr(skb);
+ 
+ 	hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
++	if (hdr_len < 0)
++		return hdr_len;
+ 	skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
+ 	skb_set_network_header(skb, -x->props.header_len);
+ 	skb->transport_header = skb->network_header + hdr_len;
+--- a/net/ipv6/xfrm6_mode_transport.c
++++ b/net/ipv6/xfrm6_mode_transport.c
+@@ -28,6 +28,8 @@ static int xfrm6_transport_output(struct
+ 	iph = ipv6_hdr(skb);
+ 
+ 	hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
++	if (hdr_len < 0)
++		return hdr_len;
+ 	skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
+ 	skb_set_network_header(skb, -x->props.header_len);
+ 	skb->transport_header = skb->network_header + hdr_len;
diff --git a/debian/patches/series b/debian/patches/series
index 4cd00cd..8b560f7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -705,6 +705,8 @@ bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
 bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
 bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
 bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
+bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
+bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
 bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
 bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
 bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list