From 835b170e9cd2ebb2a448b8bb26c53eb5cb3da120 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 14 Mar 2016 08:44:02 -0400 Subject: [PATCH] CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387) --- kernel.spec | 6 ++++ ...ter-x_tables-check-for-size-overflow.patch | 31 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 netfilter-x_tables-check-for-size-overflow.patch diff --git a/kernel.spec b/kernel.spec index af22cf783..dea176571 100644 --- a/kernel.spec +++ b/kernel.spec @@ -616,6 +616,9 @@ Patch649: perf-tools-Fix-python-extension-build.patch #rhbz 1316136 Patch663: USB-serial-ftdi_sio-Add-support-for-ICP-DAS-I-756xU-.patch +#CVE-2016-3135 rhbz 1317386 1317387 +Patch664: netfilter-x_tables-check-for-size-overflow.patch + # END OF PATCH DEFINITIONS %endif @@ -2137,6 +2140,9 @@ fi # # %changelog +* Mon Mar 14 2016 Josh Boyer +- CVE-2016-3135 netfilter: size overflow in x_tables (rhbz 1317386 1317387) + * Fri Mar 11 2016 Josh Boyer - Add patch for ICP DAS I-756xU devices (rhbz 1316136) diff --git a/netfilter-x_tables-check-for-size-overflow.patch b/netfilter-x_tables-check-for-size-overflow.patch new file mode 100644 index 000000000..81e3d36fa --- /dev/null +++ b/netfilter-x_tables-check-for-size-overflow.patch @@ -0,0 +1,31 @@ +Subject: [PATCH nf] netfilter: x_tables: check for size overflow +From: Florian Westphal +Date: 2016-03-10 0:56:23 + +Ben Hawkes says: + integer overflow in xt_alloc_table_info, which on 32-bit systems can + lead to small structure allocation and a copy_from_user based heap + corruption. + +Reported-by: Ben Hawkes +Signed-off-by: Florian Westphal +--- + net/netfilter/x_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index c8a0b7d..17a9a9f 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -659,6 +659,9 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size) + struct xt_table_info *info = NULL; + size_t sz = sizeof(*info) + size; + ++ if (sz < sizeof(*info)) ++ return NULL; ++ + /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ + if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages) + return NULL; +-- +2.4.10