Linux v4.8.12
This commit is contained in:
Justin M. Forbes
parent
aa0c2338c3
commit
b2248a2796
|
|
@ -1,100 +0,0 @@
|
|||
From f5527fffff3f002b0a6b376163613b82f69de073 Mon Sep 17 00:00:00 2001
|
||||
From: Andrey Ryabinin <aryabinin@virtuozzo.com>
|
||||
Date: Thu, 24 Nov 2016 13:23:10 +0000
|
||||
Subject: [PATCH] mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
|
||||
|
||||
This fixes CVE-2016-8650.
|
||||
|
||||
If mpi_powm() is given a zero exponent, it wants to immediately return
|
||||
either 1 or 0, depending on the modulus. However, if the result was
|
||||
initalised with zero limb space, no limbs space is allocated and a
|
||||
NULL-pointer exception ensues.
|
||||
|
||||
Fix this by allocating a minimal amount of limb space for the result when
|
||||
the 0-exponent case when the result is 1 and not touching the limb space
|
||||
when the result is 0.
|
||||
|
||||
This affects the use of RSA keys and X.509 certificates that carry them.
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at (null)
|
||||
IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
|
||||
PGD 0
|
||||
Oops: 0002 [#1] SMP
|
||||
Modules linked in:
|
||||
CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
|
||||
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
|
||||
task: ffff8804011944c0 task.stack: ffff880401294000
|
||||
RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
|
||||
RSP: 0018:ffff880401297ad8 EFLAGS: 00010212
|
||||
RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0
|
||||
RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0
|
||||
RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000
|
||||
R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000
|
||||
R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50
|
||||
FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000
|
||||
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0
|
||||
Stack:
|
||||
ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
|
||||
0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
|
||||
ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
|
||||
Call Trace:
|
||||
[<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
|
||||
[<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
|
||||
[<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
|
||||
[<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
|
||||
[<ffffffff8132a95c>] rsa_verify+0x9d/0xee
|
||||
[<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
|
||||
[<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
|
||||
[<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
|
||||
[<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
|
||||
[<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
|
||||
[<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
|
||||
[<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
|
||||
[<ffffffff812fc9f3>] key_create_or_update+0x145/0x399
|
||||
[<ffffffff812fe227>] SyS_add_key+0x154/0x19e
|
||||
[<ffffffff81001c2b>] do_syscall_64+0x80/0x191
|
||||
[<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
|
||||
Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
|
||||
RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
|
||||
RSP <ffff880401297ad8>
|
||||
CR2: 0000000000000000
|
||||
---[ end trace d82015255d4a5d8d ]---
|
||||
|
||||
Basically, this is a backport of a libgcrypt patch:
|
||||
|
||||
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526
|
||||
|
||||
Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
|
||||
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
|
||||
cc: linux-ima-devel@lists.sourceforge.net
|
||||
cc: stable@vger.kernel.org
|
||||
Signed-off-by: James Morris <james.l.morris@oracle.com>
|
||||
---
|
||||
lib/mpi/mpi-pow.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c
|
||||
index 5464c87..e24388a 100644
|
||||
--- a/lib/mpi/mpi-pow.c
|
||||
+++ b/lib/mpi/mpi-pow.c
|
||||
@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
|
||||
if (!esize) {
|
||||
/* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
|
||||
* depending on if MOD equals 1. */
|
||||
- rp[0] = 1;
|
||||
res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
|
||||
+ if (res->nlimbs) {
|
||||
+ if (mpi_resize(res, 1) < 0)
|
||||
+ goto enomem;
|
||||
+ rp = res->d;
|
||||
+ rp[0] = 1;
|
||||
+ }
|
||||
res->sign = 0;
|
||||
goto leave;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
From 9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Tue, 29 Nov 2016 02:17:34 +0100
|
||||
Subject: [PATCH] netfilter: ipv6: nf_defrag: drop mangled skb on ream error
|
||||
|
||||
Dmitry Vyukov reported GPF in network stack that Andrey traced down to
|
||||
negative nh offset in nf_ct_frag6_queue().
|
||||
|
||||
Problem is that all network headers before fragment header are pulled.
|
||||
Normal ipv6 reassembly will drop the skb when errors occur further down
|
||||
the line.
|
||||
|
||||
netfilter doesn't do this, and instead passed the original fragment
|
||||
along. That was also fine back when netfilter ipv6 defrag worked with
|
||||
cloned fragments, as the original, pristine fragment was passed on.
|
||||
|
||||
So we either have to undo the pull op, or discard such fragments.
|
||||
Since they're malformed after all (e.g. overlapping fragment) it seems
|
||||
preferrable to just drop them.
|
||||
|
||||
Same for temporary errors -- it doesn't make sense to accept (and
|
||||
perhaps forward!) only some fragments of same datagram.
|
||||
|
||||
Fixes: 029f7f3b8701cc7ac ("netfilter: ipv6: nf_defrag: avoid/free clone operations")
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Debugged-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Diagnosed-by: Eric Dumazet <Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
Acked-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/ipv6/netfilter/nf_conntrack_reasm.c | 4 ++--
|
||||
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
|
||||
index e4347ae..9948b5c 100644
|
||||
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
|
||||
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
|
||||
@@ -576,11 +576,11 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
|
||||
/* Jumbo payload inhibits frag. header */
|
||||
if (ipv6_hdr(skb)->payload_len == 0) {
|
||||
pr_debug("payload len = 0\n");
|
||||
- return -EINVAL;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
if (find_prev_fhdr(skb, &prevhdr, &nhoff, &fhoff) < 0)
|
||||
- return -EINVAL;
|
||||
+ return 0;
|
||||
|
||||
if (!pskb_may_pull(skb, fhoff + sizeof(*fhdr)))
|
||||
return -ENOMEM;
|
||||
diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
|
||||
index f7aab5a..f06b047 100644
|
||||
--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
|
||||
+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
|
||||
@@ -69,7 +69,7 @@ static unsigned int ipv6_defrag(void *priv,
|
||||
if (err == -EINPROGRESS)
|
||||
return NF_STOLEN;
|
||||
|
||||
- return NF_ACCEPT;
|
||||
+ return err == 0 ? NF_ACCEPT : NF_DROP;
|
||||
}
|
||||
|
||||
static struct nf_hook_ops ipv6_defrag_ops[] = {
|
||||
--
|
||||
2.9.3
|
||||
|
||||
12
kernel.spec
12
kernel.spec
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 11
|
||||
%define stable_update 12
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
|
@ -634,8 +634,8 @@ Patch852: 0001-HID-input-ignore-System-Control-application-usages-i.patch
|
|||
#rhbz 1390308
|
||||
Patch854: nouveau-add-maxwell-to-backlight-init.patch
|
||||
|
||||
# CVE-2016-8650 rhbz 1395187 1398463
|
||||
Patch856: 0001-mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch
|
||||
# CVE-2016-9755 rhbz 1400904 1400905
|
||||
Patch856: 0001-netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
|
|
@ -2159,6 +2159,12 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Fri Dec 02 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.12-100
|
||||
- Linux v4.8.12
|
||||
- CVE-2016-9755 Fix Out-of-bounds write issue when defragmenting ipv6 packets (rhbz 1400904 1400905)
|
||||
- CVE-2016-9756 Fix kvm: stack memory information leakage (rhbz 1400468 1400469)
|
||||
- Fix kvm: out of bounds memory access via vcpu_id (rhbz 1400804 1400805)
|
||||
|
||||
* Mon Nov 28 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.11-100
|
||||
- Linux v4.8.11
|
||||
- CVE-2016-8650 Fix NULL ptr dereference in mpi_powm() (rhbz 1395187 1398463)
|
||||
|
|
|
|||
Loading…
Reference in New Issue