linux-stable.git/net, branch v3.2.93

xfrm: policy: check policy direction value

2017-09-15T17:30:56+00:00

commit 7bab09631c2a303f87a7eb7e3d69e888673b9b7e upstream.

The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
as an array index. This can lead to an out-of-bound access, kernel lockup and
DoS. Add a check for the 'dir' value.

This fixes CVE-2017-11600.

References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
Reported-by: "bo Zhang" 
Signed-off-by: Vladis Dronov 
Signed-off-by: Steffen Klassert 
Signed-off-by: Ben Hutchings

tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0

2017-09-15T17:30:56+00:00

commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8 upstream.

When tcp_disconnect() is called, inet_csk_delack_init() sets
icsk->icsk_ack.rcv_mss to 0.
This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
__tcp_select_window() call path to have division by 0 issue.
So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.

Reported-by: Andrey Konovalov  
Signed-off-by: Wei Wang 
Signed-off-by: Eric Dumazet 
Signed-off-by: Neal Cardwell 
Signed-off-by: Yuchung Cheng 
Signed-off-by: David S. Miller 
Signed-off-by: Ben Hutchings

net: prevent sign extension in dev_get_stats()

2017-09-15T17:30:56+00:00

commit 6f64ec74515925cced6df4571638b5a099a49aae upstream.

Similar to the fix provided by Dominik Heidler in commit
9b3dc0a17d73 ("l2tp: cast l2tp traffic counter to unsigned")
we need to take care of 32bit kernels in dev_get_stats().

When using atomic_long_read(), we add a 'long' to u64 and
might misinterpret high order bit, unless we cast to unsigned.

Fixes: caf586e5f23ce ("net: add a core netdev->rx_dropped counter")
Fixes: 015f0688f57ca ("net: net: add a core netdev->tx_dropped counter")
Fixes: 6e7333d315a76 ("net: add rx_nohandler stat counter")
Signed-off-by: Eric Dumazet 
Cc: Jarod Wilson 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: only rx_dropped is updated here]
Signed-off-by: Ben Hutchings

ipv6: avoid unregistering inet6_dev for loopback

2017-09-15T17:30:55+00:00

commit 60abc0be96e00ca71bac083215ac91ad2e575096 upstream.

The per netns loopback_dev->ip6_ptr is unregistered and set to
NULL when its mtu is set to smaller than IPV6_MIN_MTU, this
leads to that we could set rt->rt6i_idev NULL after a
rt6_uncached_list_flush_dev() and then crash after another
call.

In this case we should just bring its inet6_dev down, rather
than unregistering it, at least prior to commit 176c39af29bc
("netns: fix addrconf_ifdown kernel panic") we always
override the case for loopback.

Thanks a lot to Andrey for finding a reliable reproducer.

Fixes: 176c39af29bc ("netns: fix addrconf_ifdown kernel panic")
Reported-by: Andrey Konovalov 
Cc: Andrey Konovalov 
Cc: Daniel Lezcano 
Cc: David Ahern 
Signed-off-by: Cong Wang 
Acked-by: David Ahern 
Tested-by: Andrey Konovalov 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: the NETDEV_CHANGEMTU case used to fall-through to the
 NETDEV_DOWN case here, so replace that with a separate call to addrconf_ifdown()]
Signed-off-by: Ben Hutchings

rtnetlink: add IFLA_GROUP to ifla_policy

2017-09-15T17:30:55+00:00

commit db833d40ad3263b2ee3b59a1ba168bb3cfed8137 upstream.

Network interface groups support added while ago, however
there is no IFLA_GROUP attribute description in policy
and netlink message size calculations until now.

Add IFLA_GROUP attribute to the policy.

Fixes: cbda10fa97d7 ("net_device: add support for network device groups")
Signed-off-by: Serhey Popovych 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings

xfrm: NULL dereference on allocation failure

2017-09-15T17:30:54+00:00

commit e747f64336fc15e1c823344942923195b800aa1e upstream.

The default error code in pfkey_msg2xfrm_state() is -ENOBUFS.  We
added a new call to security_xfrm_state_alloc() which sets "err" to zero
so there several places where we can return ERR_PTR(0) if kmalloc()
fails.  The caller is expecting error pointers so it leads to a NULL
dereference.

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter 
Signed-off-by: Steffen Klassert 
Signed-off-by: Ben Hutchings

xfrm: Oops on error in pfkey_msg2xfrm_state()

2017-09-15T17:30:54+00:00

commit 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 upstream.

There are some missing error codes here so we accidentally return NULL
instead of an error pointer.  It results in a NULL pointer dereference.

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter 
Signed-off-by: Steffen Klassert 
Signed-off-by: Ben Hutchings

net: ping: do not abuse udp_poll()

2017-09-15T17:30:50+00:00

commit 77d4b1d36926a9b8387c6b53eeba42bcaaffcea3 upstream.

Alexander reported various KASAN messages triggered in recent kernels

The problem is that ping sockets should not use udp_poll() in the first
place, and recent changes in UDP stack finally exposed this old bug.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
Signed-off-by: Eric Dumazet 
Reported-by: Sasha Levin 
Cc: Solar Designer 
Cc: Vasiliy Kulikov 
Cc: Lorenzo Colitti 
Acked-By: Lorenzo Colitti 
Tested-By: Lorenzo Colitti 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2:
 - Drop IPv6 bits
 - Adjust context]
Signed-off-by: Ben Hutchings

ipv6: Fix leak in ipv6_gso_segment().

2017-09-15T17:30:50+00:00

commit e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789 upstream.

If ip6_find_1stfragopt() fails and we return an error we have to free
up 'segs' because nobody else is going to.

Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
Reported-by: Ben Hutchings 
Signed-off-by: David S. Miller 
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings

net: add kfree_skb_list()

2017-09-15T17:30:50+00:00

Extracted from upstream commit bd8a7036c06c "gre: fix a possible skb leak".

This patch adds a kfree_skb_list() helper.

Signed-off-by: Ben Hutchings