We have moved to a new Sailfish OS Forum. Please start new discussions there.

Revision history [back]

click to hide/show revision 1
initial version

posted 2018-03-06 09:45:10 +0200

lpr gravatar image

fix out of bound writes in __ip6_append_data() in kernel-net-ipv6 CVE-2017-9242

The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.

Upstream Fix available and equal to kernel-3.2 backport.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv6/ip6_output.c lines 1411-1416; 1462-1474

So the Patch should look like:

@@ -1411,6 +1411,11 @@ alloc_new_skb:
         */
        alloclen += sizeof(struct frag_hdr);

+           copy = datalen - transhdrlen - fraggap;
+           if (copy < 0) {
+               err = -EINVAL;
+               goto error;
+           }
        if (transhdrlen) {
            skb = sock_alloc_send_skb(sk,
                    alloclen + hh_len,
@@ -1462,13 +1467,9 @@ alloc_new_skb:
            data += fraggap;
            pskb_trim_unique(skb_prev, maxfraglen);
        }
-           copy = datalen - transhdrlen - fraggap;
-
-           if (copy < 0) {
-               err = -EINVAL;
-               kfree_skb(skb);
-               goto error;
-           } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
+           if (copy > 0 &&
+               getfrag(from, data + transhdrlen, offset,
+                   copy, fraggap, skb) < 0) {
            err = -EFAULT;
            kfree_skb(skb);
            goto error;

fix out of bound writes in __ip6_append_data() in kernel-net-ipv6 CVE-2017-9242

The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.

Upstream Fix available and equal to kernel-3.2 backport.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/net/ipv6/ip6_output.c lines 1411-1416; 1462-1474

So the Patch should look like:

@@ -1411,6 +1411,11 @@ alloc_new_skb:
         */
        alloclen += sizeof(struct frag_hdr);

+           copy = datalen - transhdrlen - fraggap;
+           if (copy < 0) {
+               err = -EINVAL;
+               goto error;
+           }
        if (transhdrlen) {
            skb = sock_alloc_send_skb(sk,
                    alloclen + hh_len,
@@ -1462,13 +1467,9 @@ alloc_new_skb:
            data += fraggap;
            pskb_trim_unique(skb_prev, maxfraglen);
        }
-           copy = datalen - transhdrlen - fraggap;
-
-           if (copy < 0) {
-               err = -EINVAL;
-               kfree_skb(skb);
-               goto error;
-           } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
+           if (copy > 0 &&
+               getfrag(from, data + transhdrlen, offset,
+                   copy, fraggap, skb) < 0) {
            err = -EFAULT;
            kfree_skb(skb);
            goto error;
Copyright © Jolla Ltd. 2013-2019. All rights reserved.
about | faq | help | privacy policy | terms of service | give feedback
Powered by Askbot version 0.7.49