Fix CVE-2017-7542 CVE-2017-11473
This commit is contained in:
parent
4713d9bf92
commit
7a432d422d
|
@ -0,0 +1,54 @@
|
|||
From 6399f1fae4ec29fab5ec76070435555e256ca3a6 Mon Sep 17 00:00:00 2001
|
||||
From: Sabrina Dubroca <sd@queasysnail.net>
|
||||
Date: Wed, 19 Jul 2017 22:28:55 +0200
|
||||
Subject: [PATCH] ipv6: avoid overflow of offset in ip6_find_1stfragopt
|
||||
|
||||
In some cases, offset can overflow and can cause an infinite loop in
|
||||
ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and
|
||||
cap it at IPV6_MAXPLEN, since packets larger than that should be invalid.
|
||||
|
||||
This problem has been here since before the beginning of git history.
|
||||
|
||||
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/output_core.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
|
||||
index e9065b8..abb2c30 100644
|
||||
--- a/net/ipv6/output_core.c
|
||||
+++ b/net/ipv6/output_core.c
|
||||
@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident);
|
||||
|
||||
int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
{
|
||||
- u16 offset = sizeof(struct ipv6hdr);
|
||||
+ unsigned int offset = sizeof(struct ipv6hdr);
|
||||
unsigned int packet_len = skb_tail_pointer(skb) -
|
||||
skb_network_header(skb);
|
||||
int found_rhdr = 0;
|
||||
@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
|
||||
while (offset <= packet_len) {
|
||||
struct ipv6_opt_hdr *exthdr;
|
||||
+ unsigned int len;
|
||||
|
||||
switch (**nexthdr) {
|
||||
|
||||
@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
|
||||
|
||||
exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
|
||||
offset);
|
||||
- offset += ipv6_optlen(exthdr);
|
||||
+ len = ipv6_optlen(exthdr);
|
||||
+ if (len + offset >= IPV6_MAXPLEN)
|
||||
+ return -EINVAL;
|
||||
+ offset += len;
|
||||
*nexthdr = &exthdr->nexthdr;
|
||||
}
|
||||
|
||||
--
|
||||
2.9.4
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
From 70ac67826602edf8c0ccb413e5ba7eacf597a60c Mon Sep 17 00:00:00 2001
|
||||
From: Seunghun Han <kkamagui@gmail.com>
|
||||
Date: Tue, 18 Jul 2017 20:03:51 +0900
|
||||
Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables
|
||||
|
||||
The bus_irq argument of mp_override_legacy_irq() is used as the index into
|
||||
the isa_irq_to_gsi[] array. The bus_irq argument originates from
|
||||
ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI
|
||||
tables, but is nowhere sanity checked.
|
||||
|
||||
That allows broken or malicious ACPI tables to overwrite memory, which
|
||||
might cause malfunction, panic or arbitrary code execution.
|
||||
|
||||
Add a sanity check and emit a warning when that triggers.
|
||||
|
||||
[ tglx: Added warning and rewrote changelog ]
|
||||
|
||||
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: security@kernel.org
|
||||
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
arch/x86/kernel/acpi/boot.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
|
||||
index 6bb6806..7491e73 100644
|
||||
--- a/arch/x86/kernel/acpi/boot.c
|
||||
+++ b/arch/x86/kernel/acpi/boot.c
|
||||
@@ -347,6 +347,14 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger,
|
||||
struct mpc_intsrc mp_irq;
|
||||
|
||||
/*
|
||||
+ * Check bus_irq boundary.
|
||||
+ */
|
||||
+ if (bus_irq >= NR_IRQS_LEGACY) {
|
||||
+ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
* Convert 'gsi' to 'ioapic.pin'.
|
||||
*/
|
||||
ioapic = mp_find_ioapic(gsi);
|
||||
--
|
||||
cgit v1.1
|
||||
|
10
kernel.spec
10
kernel.spec
|
@ -634,6 +634,12 @@ Patch683: RFC-audit-fix-a-race-condition-with-the-auditd-tracking-code.patch
|
|||
# rhbz 1458599
|
||||
Patch685: 0001-ACPI-LPSS-Only-call-pwm_add_table-for-the-first-PWM-.patch
|
||||
|
||||
# CVE-2017-7542 rhbz 1473649 1473650
|
||||
Patch701: 0001-ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
|
||||
|
||||
# CVE-2017-11473 rhbz 1473209 147310
|
||||
Patch702: CVE-2017-11473.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2198,6 +2204,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Jul 21 2017 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Fix CVE-2017-7542 (rhbz 1473649 1473650)
|
||||
- Fix CVE-2017-11473 (rhbz 1473209 147310)
|
||||
|
||||
* Mon Jul 17 2017 Laura Abbott <labbott@fedoraproject.org> - 4.11.11-200
|
||||
- Linux v4.11.11
|
||||
- Bring back /dev/port (rhbz 1471429 1451220)
|
||||
|
|
Loading…
Reference in New Issue