[linux] 01/01: Add follow-up fixes for CVE-2017-9074
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Jun 8 14:54:55 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit c6e466618fe504d82898268baf46fa6a62376243
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Jun 8 15:54:26 2017 +0100
Add follow-up fixes for CVE-2017-9074
---
debian/changelog | 2 ++
.../all/ipv6-fix-leak-in-ipv6_gso_segment.patch | 33 ++++++++++++++++++
...andle-errors-reported-by-xfrm6_find_1stfr.patch | 40 ++++++++++++++++++++++
debian/patches/series | 2 ++
4 files changed, 77 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 097796e..2369a69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,8 @@ linux (3.2.88-2) UNRELEASED; urgency=medium
* USB: serial: omninet: fix reference leaks at open (CVE-2017-8925)
* ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074)
* ipv6: Check ip6_find_1stfragopt() return value properly.
+ * ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
+ * ipv6: Fix leak in ipv6_gso_segment().
* sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075)
* ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076,
CVE-2017-9077)
diff --git a/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch b/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
new file mode 100644
index 0000000..873a8fb
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
@@ -0,0 +1,33 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Sun, 4 Jun 2017 21:41:10 -0400
+Subject: ipv6: Fix leak in ipv6_gso_segment().
+Origin: https://git.kernel.org/linus/e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
+
+If ip6_find_1stfragopt() fails and we return an error we have to free
+up 'segs' because nobody else is going to.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Reported-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2:
+ - Use skb_drop_list() instead of kfree_skb_list()
+ - Adjust filename, context]
+---
+ net/ipv6/af_inet6.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -824,8 +824,10 @@ static struct sk_buff *ipv6_gso_segment(
+ sizeof(*ipv6h));
+ if (proto == IPPROTO_UDP) {
+ int err = ip6_find_1stfragopt(skb, &prevhdr);
+- if (err < 0)
++ if (err < 0) {
++ skb_drop_list(&segs);
+ return ERR_PTR(err);
++ }
+ fptr = (struct frag_hdr *)(skb_network_header(skb) +
+ err);
+ fptr->frag_off = htons(offset);
diff --git a/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch b/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
new file mode 100644
index 0000000..4741678
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
@@ -0,0 +1,40 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Wed, 31 May 2017 13:15:41 +0100
+Subject: ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
+Origin: https://git.kernel.org/linus/6e80ac5cc992ab6256c3dae87f7e57db15e1a58c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
+
+xfrm6_find_1stfragopt() may now return an error code and we must
+not treat it as a length.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Acked-by: Craig Gallek <kraig at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/xfrm6_mode_ro.c | 2 ++
+ net/ipv6/xfrm6_mode_transport.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/net/ipv6/xfrm6_mode_ro.c
++++ b/net/ipv6/xfrm6_mode_ro.c
+@@ -48,6 +48,8 @@ static int xfrm6_ro_output(struct xfrm_s
+ iph = ipv6_hdr(skb);
+
+ hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
++ if (hdr_len < 0)
++ return hdr_len;
+ skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
+ skb_set_network_header(skb, -x->props.header_len);
+ skb->transport_header = skb->network_header + hdr_len;
+--- a/net/ipv6/xfrm6_mode_transport.c
++++ b/net/ipv6/xfrm6_mode_transport.c
+@@ -28,6 +28,8 @@ static int xfrm6_transport_output(struct
+ iph = ipv6_hdr(skb);
+
+ hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
++ if (hdr_len < 0)
++ return hdr_len;
+ skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
+ skb_set_network_header(skb, -x->props.header_len);
+ skb->transport_header = skb->network_header + hdr_len;
diff --git a/debian/patches/series b/debian/patches/series
index 1169ce9..a371fc7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1137,6 +1137,8 @@ bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
+bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
+bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list