add fix for CVE-2017-9074 fix

diff --git a/CVE-2017-9074-2-ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch b/CVE-2017-9074-2-ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch
new file mode 100644 (file)
index 0000000..81a64c7
--- /dev/null
+++ b/CVE-2017-9074-2-ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch
@@ -0,0 +1,96 @@
+From 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Wed, 17 May 2017 22:54:11 -0400
+Subject: [PATCH] ipv6: Check ip6_find_1stfragopt() return value properly.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Do not use unsigned variables to see if it returns a negative
+error or not.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Reported-by: Julia Lawall <julia.lawall@lip6.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+ net/ipv6/ip6_offload.c | 9 ++++-----
+ net/ipv6/ip6_output.c  | 7 +++----
+ net/ipv6/udp_offload.c | 8 +++++---
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
+index eab36abc9f22..280268f1dd7b 100644
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
+       const struct net_offload *ops;
+       int proto;
+       struct frag_hdr *fptr;
+-      unsigned int unfrag_ip6hlen;
+       unsigned int payload_len;
+       u8 *prevhdr;
+       int offset = 0;
+@@ -116,10 +115,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
+               skb->network_header = (u8 *)ipv6h - skb->head;
+ 
+               if (udpfrag) {
+-                      unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+-                      if (unfrag_ip6hlen < 0)
+-                              return ERR_PTR(unfrag_ip6hlen);
+-                      fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
++                      int err = ip6_find_1stfragopt(skb, &prevhdr);
++                      if (err < 0)
++                              return ERR_PTR(err);
++                      fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
+                       fptr->frag_off = htons(offset);
+                       if (skb->next)
+                               fptr->frag_off |= htons(IP6_MF);
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 01deecda2f84..d4a31becbd25 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -597,11 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+       int ptr, offset = 0, err = 0;
+       u8 *prevhdr, nexthdr = 0;
+ 
+-      hlen = ip6_find_1stfragopt(skb, &prevhdr);
+-      if (hlen < 0) {
+-              err = hlen;
++      err = ip6_find_1stfragopt(skb, &prevhdr);
++      if (err < 0)
+               goto fail;
+-      }
++      hlen = err;
+       nexthdr = *prevhdr;
+ 
+       mtu = ip6_skb_dst_mtu(skb);
+diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
+index b348cff47395..a2267f80febb 100644
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+       u8 frag_hdr_sz = sizeof(struct frag_hdr);
+       __wsum csum;
+       int tnl_hlen;
++      int err;
+ 
+       mss = skb_shinfo(skb)->gso_size;
+       if (unlikely(skb->len <= mss))
+@@ -90,9 +91,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+               /* Find the unfragmentable header and shift it left by frag_hdr_sz
+                * bytes to insert fragment header.
+                */
+-              unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+-              if (unfrag_ip6hlen < 0)
+-                      return ERR_PTR(unfrag_ip6hlen);
++              err = ip6_find_1stfragopt(skb, &prevhdr);
++              if (err < 0)
++                      return ERR_PTR(err);
++              unfrag_ip6hlen = err;
+               nexthdr = *prevhdr;
+               *prevhdr = NEXTHDR_FRAGMENT;
+               unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
+-- 
+2.11.0
+

diff --git a/Makefile b/Makefile
index 53699a304d2f5b09a123032d462c487ef2d11297..13eb97465377903150c09ef9963de8e6d4096306 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -237,6 +237,7 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNEL_SRC_SUBMODULE} | submodules
        cd ${KERNEL_SRC}; patch -p1 < ../0001-netfilter-nft_set_rbtree-handle-re-addition-element-.patch # DoS from within (unpriv) containers
        cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-8890-dccp-tcp-do-not-inherit-mc_list-from-parent.patch
        cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9074-ipv6-Prevent-overrun-when-parsing-v6-header-options.patch
+       cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9074-2-ipv6-Check-ip6_find_1stfragopt-return-value-properly.patch
        cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9075-sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
        cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9076_9077-ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
        cd ${KERNEL_SRC}; patch -p1 < ../CVE-2017-9242-ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch