Fix CVE-2017-1000111 and CVE-2017-1000112

2017-08-11 16:14:25 -05:00 · 2017-08-11 16:14:25 -05:00 · 4ad810e16c
parent a17cbdc004
commit 4ad810e16c
3 changed files with 158 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -678,6 +678,12 @@ Patch706: Fix-for-module-sig-verification.patch
 # rhbz 1462381
 Patch707: Back-out-qxl-atomic-delay.patch

+# CVE-2017-1000111 rhbz 1479304 1480464
+Patch708: net-packet-fix-tp_reserve-race-in-packet_set_ring.patch
+
+# CVE-2017-1000112 rhbz 1479307 1480465
+Patch709: udp-consistently-apply-ufo-or-fragmentation.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -2253,6 +2259,8 @@ fi
 %changelog
 * Fri Aug 11 2017 Justin M. Forbes <jforbes@fedoraproject.org> - 4.12.6-300
 - Linux v4.12.6
+- Fix CVE-2017-1000111 (rhbz 1479304 1480464)
+- Fix CVE-2017-1000112 (rhbz 1479307 1480465)

 * Fri Aug 11 2017 Dan Horak <dan@danny.cz>
 - disable SWIOTLB on Power (#1480380)
--- a/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch
+++ b/net-packet-fix-tp_reserve-race-in-packet_set_ring.patch
@ -0,0 +1,57 @@
+From patchwork Thu Aug 10 16:41:58 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [net] packet: fix tp_reserve race in packet_set_ring
+From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+X-Patchwork-Id: 800274
+X-Patchwork-Delegate: davem@davemloft.net
+Message-Id: <20170810164158.52213-1-willemdebruijn.kernel@gmail.com>
+To: netdev@vger.kernel.org
+Cc: davem@davemloft.net, andreyknvl@gmail.com,
+ Willem de Bruijn <willemb@google.com>
+Date: Thu, 10 Aug 2017 12:41:58 -0400
+
+From: Willem de Bruijn <willemb@google.com>
+
+Updates to tp_reserve can race with reads of the field in
+packet_set_ring. Avoid this by holding the socket lock during
+updates in setsockopt PACKET_RESERVE.
+
+This bug was discovered by syzkaller.
+
+Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+---
+ net/packet/af_packet.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 0615c2a950fa..008a45ca3112 100644
+--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
+@@ -3700,14 +3700,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ 
+ 		if (optlen != sizeof(val))
+ 			return -EINVAL;
+-		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+-			return -EBUSY;
+ 		if (copy_from_user(&val, optval, sizeof(val)))
+ 			return -EFAULT;
+ 		if (val > INT_MAX)
+ 			return -EINVAL;
+-		po->tp_reserve = val;
+-		return 0;
+		lock_sock(sk);
+		if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
+			ret = -EBUSY;
+		} else {
+			po->tp_reserve = val;
+			ret = 0;
+		}
+		release_sock(sk);
+		return ret;
+ 	}
+ 	case PACKET_LOSS:
+ 	{
--- a/udp-consistently-apply-ufo-or-fragmentation.patch
+++ b/udp-consistently-apply-ufo-or-fragmentation.patch
@ -0,0 +1,93 @@
+From 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Thu, 10 Aug 2017 12:29:19 -0400
+Subject: udp: consistently apply ufo or fragmentation
+
+When iteratively building a UDP datagram with MSG_MORE and that
+datagram exceeds MTU, consistently choose UFO or fragmentation.
+
+Once skb_is_gso, always apply ufo. Conversely, once a datagram is
+split across multiple skbs, do not consider ufo.
+
+Sendpage already maintains the first invariant, only add the second.
+IPv6 does not have a sendpage implementation to modify.
+
+A gso skb must have a partial checksum, do not follow sk_no_check_tx
+in udp_send_skb.
+
+Found by syzkaller.
+
+Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv4/ip_output.c  | 8 +++++---
+ net/ipv4/udp.c        | 2 +-
+ net/ipv6/ip6_output.c | 7 ++++---
+ 3 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 50c74cd..e153c40 100644
+--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
+@@ -965,11 +965,12 @@ static int __ip_append_data(struct sock *sk,
+ 		csummode = CHECKSUM_PARTIAL;
+ 
+ 	cork->length += length;
+-	if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) ||
+-	     (skb && skb_is_gso(skb))) &&
+	if ((skb && skb_is_gso(skb)) ||
+	    (((length + (skb ? skb->len : fragheaderlen)) > mtu) &&
+	    (skb_queue_len(queue) <= 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
+-	    (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
+	    (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) {
+ 		err = ip_ufo_append_data(sk, queue, getfrag, from, length,
+ 					 hh_len, fragheaderlen, transhdrlen,
+ 					 maxfraglen, flags);
+@@ -1288,6 +1289,7 @@ ssize_t	ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
+ 		return -EINVAL;
+ 
+ 	if ((size + skb->len > mtu) &&
+	    (skb_queue_len(&sk->sk_write_queue) == 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO)) {
+ 		if (skb->ip_summed != CHECKSUM_PARTIAL)
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index e6276fa..a7c804f 100644
+--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
+@@ -802,7 +802,7 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4)
+ 	if (is_udplite)  				 /*     UDP-Lite      */
+ 		csum = udplite_csum(skb);
+ 
+-	else if (sk->sk_no_check_tx) {   /* UDP csum disabled */
+	else if (sk->sk_no_check_tx && !skb_is_gso(skb)) {   /* UDP csum off */
+ 
+ 		skb->ip_summed = CHECKSUM_NONE;
+ 		goto send;
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 162efba..2dfe50d 100644
+--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
+@@ -1381,11 +1381,12 @@ emsgsize:
+ 	 */
+ 
+ 	cork->length += length;
+-	if ((((length + (skb ? skb->len : headersize)) > mtu) ||
+-	     (skb && skb_is_gso(skb))) &&
+	if ((skb && skb_is_gso(skb)) ||
+	    (((length + (skb ? skb->len : headersize)) > mtu) &&
+	    (skb_queue_len(queue) <= 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
+-	    (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
+	    (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) {
+ 		err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
+ 					  hh_len, fragheaderlen, exthdrlen,
+ 					  transhdrlen, mtu, flags, fl6);
+-- 
+cgit v1.1
+