From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755410AbdBOXbT (ORCPT <rfc822;w@1wt.eu>);
        Wed, 15 Feb 2017 18:31:19 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:54087 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1755392AbdBOXbR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Feb 2017 18:31:17 -0500
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC: akpm@linux-foundation.org, "David S. Miller" <davem@davemloft.net>,
        "Ying Xue" <ying.xue@windriver.com>,
        "Qian Zhang (=?UTF-8?Q?=E5=BC=A0=E8=B0=A6?=)" <zhangqian-c@360.cn>,
        "=?UTF-8?q?Michal=20Kube=C4=8Dek?=" <mkubecek@suse.cz>
Date: Wed, 15 Feb 2017 22:41:34 +0000
Message-ID: <lsq.1487198494.589364691@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.2 097/126] tipc: check minimum bearer MTU
In-Reply-To: <lsq.1487198490.691915840@decadent.org.uk>
X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.2.85-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Michal Kubeček <mkubecek@suse.cz>

commit 3de81b758853f0b29c61e246679d20b513c4cfec upstream.

Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.

As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.

Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.2:
 - Adjust filename, context
 - Duplicate macro definitions in bearer.h to avoid mutual inclusion
 - NETDEV_CHANGEMTU and NETDEV_CHANGEADDR cases in net notifier were combined
 - Drop changes in udp_media.c]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/tipc/eth_media.c
+++ b/net/tipc/eth_media.c
@@ -167,6 +167,10 @@ static int enable_bearer(struct tipc_bea
 	read_unlock(&dev_base_lock);
 	if (!dev)
 		return -ENODEV;
+	if (tipc_mtu_bad(dev, 0)) {
+		dev_put(dev);
+		return -EINVAL;
+	}
 
 	/* Create Ethernet bearer for device */
 
@@ -227,8 +231,6 @@ static int recv_notification(struct noti
 	if (!eb_ptr->bearer)
 		return NOTIFY_DONE;		/* bearer had been disabled */
 
-	eb_ptr->bearer->mtu = dev->mtu;
-
 	switch (evt) {
 	case NETDEV_CHANGE:
 		if (netif_carrier_ok(dev))
@@ -243,6 +245,12 @@ static int recv_notification(struct noti
 		tipc_block_bearer(eb_ptr->bearer->name);
 		break;
 	case NETDEV_CHANGEMTU:
+		if (tipc_mtu_bad(dev, 0)) {
+			tipc_disable_bearer(eb_ptr->bearer->name);
+			break;
+		}
+		eb_ptr->bearer->mtu = dev->mtu;
+		/* fall through */
 	case NETDEV_CHANGEADDR:
 		tipc_block_bearer(eb_ptr->bearer->name);
 		tipc_continue(eb_ptr->bearer);
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@@ -47,6 +47,13 @@
  */
 #define TIPC_MEDIA_TYPE_ETH	1
 
+/* Message header sizes from msg.h - duplicated to avoid mutual inclusion */
+#define INT_H_SIZE                40
+#define MAX_H_SIZE                60
+
+/* minimum bearer MTU */
+#define TIPC_MIN_BEARER_MTU	(MAX_H_SIZE + INT_H_SIZE)
+
 /*
  * Destination address structure used by TIPC bearers when sending messages
  *
@@ -209,4 +216,13 @@ static inline int tipc_bearer_send(struc
 	return !b_ptr->media->send_msg(buf, b_ptr, dest);
 }
 
+/* check if device MTU is too low for tipc headers */
+static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve)
+{
+	if (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve)
+		return false;
+	netdev_warn(dev, "MTU too low for tipc bearer\n");
+	return true;
+}
+
 #endif	/* _TIPC_BEARER_H */