CVE-2017-7277 SCM_TIMESTAMPING_OPT_STATS feature causes out-of-bounds read (rhbz 1436629 1436661)
This commit is contained in:
Justin M. Forbes
parent
66ca893f4f
commit
4f8b69a3a2
|
|
@ -611,6 +611,9 @@ Patch856: genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch
|
|||
#CVE-2017-7261 rhbz 1435719 1435740
|
||||
Patch857: vmwgfx-check-that-number-of-mip-levels-is-above-zero.patch
|
||||
|
||||
#CVE-2017-7277 rhbz 1436629 1436661
|
||||
Patch858: tcp-mark-skbs-with-SCM_TIMESTAMPING_OPT_STATS.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2180,6 +2183,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Mar 28 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- CVE-2017-7277 SCM_TIMESTAMPING_OPT_STATS feature causes out-of-bounds read (rhbz 1436629 1436661)
|
||||
|
||||
* Mon Mar 27 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- CVE-2017-7261 vmwgfx: check that number of mip levels is above zero (rhbz 1435719 1435740)
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,119 @@
|
|||
From 4ef1b2869447411ad3ef91ad7d4891a83c1a509a Mon Sep 17 00:00:00 2001
|
||||
From: Soheil Hassas Yeganeh <soheil@google.com>
|
||||
Date: Sat, 18 Mar 2017 17:03:00 -0400
|
||||
Subject: [PATCH] tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS
|
||||
|
||||
SOF_TIMESTAMPING_OPT_STATS can be enabled and disabled
|
||||
while packets are collected on the error queue.
|
||||
So, checking SOF_TIMESTAMPING_OPT_STATS in sk->sk_tsflags
|
||||
is not enough to safely assume that the skb contains
|
||||
OPT_STATS data.
|
||||
|
||||
Add a bit in sock_exterr_skb to indicate whether the
|
||||
skb contains opt_stats data.
|
||||
|
||||
Fixes: 1c885808e456 ("tcp: SOF_TIMESTAMPING_OPT_STATS option for SO_TIMESTAMPING")
|
||||
Reported-by: JongHwan Kim <zzoru007@gmail.com>
|
||||
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: Willem de Bruijn <willemb@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/linux/errqueue.h | 2 ++
|
||||
net/core/skbuff.c | 17 +++++++++++------
|
||||
net/socket.c | 2 +-
|
||||
3 files changed, 14 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/include/linux/errqueue.h b/include/linux/errqueue.h
|
||||
index 9ca23fc..6fdfc88 100644
|
||||
--- a/include/linux/errqueue.h
|
||||
+++ b/include/linux/errqueue.h
|
||||
@@ -20,6 +20,8 @@ struct sock_exterr_skb {
|
||||
struct sock_extended_err ee;
|
||||
u16 addr_offset;
|
||||
__be16 port;
|
||||
+ u8 opt_stats:1,
|
||||
+ unused:7;
|
||||
};
|
||||
|
||||
#endif
|
||||
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
|
||||
index b1fbd19..9f78109 100644
|
||||
--- a/net/core/skbuff.c
|
||||
+++ b/net/core/skbuff.c
|
||||
@@ -3793,16 +3793,20 @@ EXPORT_SYMBOL(skb_clone_sk);
|
||||
|
||||
static void __skb_complete_tx_timestamp(struct sk_buff *skb,
|
||||
struct sock *sk,
|
||||
- int tstype)
|
||||
+ int tstype,
|
||||
+ bool opt_stats)
|
||||
{
|
||||
struct sock_exterr_skb *serr;
|
||||
int err;
|
||||
|
||||
+ BUILD_BUG_ON(sizeof(struct sock_exterr_skb) > sizeof(skb->cb));
|
||||
+
|
||||
serr = SKB_EXT_ERR(skb);
|
||||
memset(serr, 0, sizeof(*serr));
|
||||
serr->ee.ee_errno = ENOMSG;
|
||||
serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
|
||||
serr->ee.ee_info = tstype;
|
||||
+ serr->opt_stats = opt_stats;
|
||||
if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
|
||||
serr->ee.ee_data = skb_shinfo(skb)->tskey;
|
||||
if (sk->sk_protocol == IPPROTO_TCP &&
|
||||
@@ -3843,7 +3847,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
|
||||
*/
|
||||
if (likely(atomic_inc_not_zero(&sk->sk_refcnt))) {
|
||||
*skb_hwtstamps(skb) = *hwtstamps;
|
||||
- __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND);
|
||||
+ __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
|
||||
sock_put(sk);
|
||||
}
|
||||
}
|
||||
@@ -3854,7 +3858,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
|
||||
struct sock *sk, int tstype)
|
||||
{
|
||||
struct sk_buff *skb;
|
||||
- bool tsonly;
|
||||
+ bool tsonly, opt_stats = false;
|
||||
|
||||
if (!sk)
|
||||
return;
|
||||
@@ -3867,9 +3871,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
|
||||
#ifdef CONFIG_INET
|
||||
if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) &&
|
||||
sk->sk_protocol == IPPROTO_TCP &&
|
||||
- sk->sk_type == SOCK_STREAM)
|
||||
+ sk->sk_type == SOCK_STREAM) {
|
||||
skb = tcp_get_timestamping_opt_stats(sk);
|
||||
- else
|
||||
+ opt_stats = true;
|
||||
+ } else
|
||||
#endif
|
||||
skb = alloc_skb(0, GFP_ATOMIC);
|
||||
} else {
|
||||
@@ -3888,7 +3893,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
|
||||
else
|
||||
skb->tstamp = ktime_get_real();
|
||||
|
||||
- __skb_complete_tx_timestamp(skb, sk, tstype);
|
||||
+ __skb_complete_tx_timestamp(skb, sk, tstype, opt_stats);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(__skb_tstamp_tx);
|
||||
|
||||
|
||||
diff --git a/net/socket.c b/net/socket.c
|
||||
index 02bd924..84e3f85 100644
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -697,7 +697,7 @@ void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
|
||||
put_cmsg(msg, SOL_SOCKET,
|
||||
SCM_TIMESTAMPING, sizeof(tss), &tss);
|
||||
|
||||
- if (skb->len && (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS))
|
||||
+ if (skb->len && SKB_EXT_ERR(skb)->opt_stats)
|
||||
put_cmsg(msg, SOL_SOCKET, SCM_TIMESTAMPING_OPT_STATS,
|
||||
skb->len, skb->data);
|
||||
}
|
||||
Loading…
Reference in New Issue