From 7a4ff6735dff35e241608a5145ca589fe7791074 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Wed, 27 Feb 2013 16:00:49 +0000 Subject: main/linux-grsec: security fixes (CVE-2013-0290) + sock_diag out of bounds fixes #1626 fixes #1619 --- ...ix-out-of-bounds-access-to-sock_diag_hand.patch | 36 +++++++++++++++ ...-fix-infinite-loop-in-__skb_recv_datagram.patch | 52 ++++++++++++++++++++++ main/linux-grsec/APKBUILD | 42 ++++++++++++++++- 3 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 main/linux-grsec/0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch create mode 100644 main/linux-grsec/0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch diff --git a/main/linux-grsec/0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch b/main/linux-grsec/0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch new file mode 100644 index 000000000..9124b975d --- /dev/null +++ b/main/linux-grsec/0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch @@ -0,0 +1,36 @@ +From ecc18050ef1ebd1dd63ebab44297d09a48360fc5 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 23 Feb 2013 01:13:47 +0000 +Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to + sock_diag_handlers[] + +Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY +with a family greater or equal then AF_MAX -- the array size of +sock_diag_handlers[]. The current code does not test for this +condition therefore is vulnerable to an out-of-bound access opening +doors for a privilege escalation. + +Signed-off-by: Mathias Krause +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/core/sock_diag.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c +index 849f809..5e8d4a9 100644 +--- a/net/core/sock_diag.c ++++ b/net/core/sock_diag.c +@@ -133,6 +133,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) + if (nlmsg_len(nlh) < sizeof(*req)) + return -EINVAL; + ++ if (req->sdiag_family >= AF_MAX) ++ return -EINVAL; ++ + hndl = sock_diag_lock_handler(req->sdiag_family); + if (hndl == NULL) + err = -ENOENT; +-- +1.8.1.4 + diff --git a/main/linux-grsec/0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch b/main/linux-grsec/0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch new file mode 100644 index 000000000..189999c7f --- /dev/null +++ b/main/linux-grsec/0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch @@ -0,0 +1,52 @@ +From 8679699f038e5cbd360df52e347e733f367bb30f Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 12 Feb 2013 06:16:53 +0000 +Subject: [PATCH 2/2] net: fix infinite loop in __skb_recv_datagram() + +Tommi was fuzzing with trinity and reported the following problem : + +commit 3f518bf745 (datagram: Add offset argument to __skb_recv_datagram) +missed that a raw socket receive queue can contain skbs with no payload. + +We can loop in __skb_recv_datagram() with MSG_PEEK mode, because +wait_for_packet() is not prepared to skip these skbs. + +[ 83.541011] INFO: rcu_sched detected stalls on CPUs/tasks: {} +(detected by 0, t=26002 jiffies, g=27673, c=27672, q=75) +[ 83.541011] INFO: Stall ended before state dump start +[ 108.067010] BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child31:2847] +... +[ 108.067010] Call Trace: +[ 108.067010] [] __skb_recv_datagram+0x1a3/0x3b0 +[ 108.067010] [] skb_recv_datagram+0x2d/0x30 +[ 108.067010] [] rawv6_recvmsg+0xad/0x240 +[ 108.067010] [] sock_common_recvmsg+0x34/0x50 +[ 108.067010] [] sock_recvmsg+0xbc/0xf0 +[ 108.067010] [] sys_recvfrom+0xde/0x150 +[ 108.067010] [] system_call_fastpath+0x16/0x1b + +Reported-by: Tommi Rantala +Tested-by: Tommi Rantala +Signed-off-by: Eric Dumazet +Cc: Pavel Emelyanov +Acked-by: Pavel Emelyanov +--- + net/core/datagram.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/datagram.c b/net/core/datagram.c +index 6a6ac94..07ccc3e 100644 +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -187,7 +187,7 @@ struct sk_buff *__skb_recv_datagram(struct sock *sk, unsigned flags, + skb_queue_walk(queue, skb) { + *peeked = skb->peeked; + if (flags & MSG_PEEK) { +- if (*off >= skb->len) { ++ if (*off >= skb->len && skb->len) { + *off -= skb->len; + continue; + } +-- +1.8.1.4 + diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 9afa066a7..fd7f18623 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -4,7 +4,7 @@ _flavor=grsec pkgname=linux-${_flavor} pkgver=3.6.11 _kernver=3.6 -pkgrel=13 +pkgrel=14 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -28,6 +28,8 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch xsa43-pvops.patch + 0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch + 0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch kernelconfig.x86 kernelconfig.x86_64 @@ -163,5 +165,43 @@ d9b4a528e722d10ba53034ebd440c31b ipv4-remove-output-route-check-in-ipv4_mtu.pat 89dbb0886c9d17c3c4a5ff4f1443e936 xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch bce9f08c86570a0a86ef36f1d2e7a2dd xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch 2399192c10ba600a086a4c946f1b72f2 xsa43-pvops.patch +2eae706f3b25a4a3341ef78eb29197dc 0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch +9fcb70f1b8e22ad83e959afc58a7332d 0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch 02ed0c981afbf6a1fc81d5fa9b44e7df kernelconfig.x86 4927251c008b2c2bf5648d732ec63f9d kernelconfig.x86_64" +sha256sums="4ab9a6ef1c1735713f9f659d67f92efa7c1dfbffb2a2ad544005b30f9791784f linux-3.6.tar.xz +4bdc3822571a4a765bf6f347aad8b899730acef549ae4236813fd17f254f4327 patch-3.6.11.xz +3949b8aff2f0c2e108f897f119c98c002937093baa54385d46baad19300954e1 patch-3.6.11-al3.patch +09a266a5aeba727b29304f4ec41bc08962a71df931646cc6910c5555ffbee14c grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch +e2d2d1503f53572c6a2e21da729a13a430dd01f510405ffb3a33b29208860bde 0004-arp-flush-arp-cache-on-device-change.patch +fdce1143aa10a48582b5bb9cf441b75c6f52701a61f28139970f3110a170fb97 r8169-num-rx-desc.patch +c3673636d7604b7b3df665acc0fc0153a76ac6b7f36bb931d235ea1132ac1852 ipv4-remove-output-route-check-in-ipv4_mtu.patch +2c5f4fc70c9e6c1be9890cd5e5a8c45cc500cc71c7faf8b8f7a7152b1e6bcf88 0001-r8169-remove-the-obsolete-and-incorrect-AMD-workarou.patch +7ba9b10b04197d3009ad3facabd0bdb2cab870fabcc841716efb1041412a20cd r8169-fix-vlan-tag-reordering.patch +99cf93e37985908243b974cc726f57e592e62ae005eca52969f11fb6fdea6fb5 xsa39-pvops-0001-xen-netback-shutdown-the-ring-if-it-contains-garbage.patch +e0c4226b0910ca455f22ae117e8346d87053e9faf03ec155dd6c31e2f58a1969 xsa39-pvops-0002-xen-netback-don-t-leak-pages-on-failure-in-xen_netbk.patch +70e6cb644a57cdda7f29eb86086a8e697706c3fc974a44c52322e451fd6b9d5c xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch +5d0db59bbd5ad3a7efae78a6c26fc2491b7c553e5519dd946d1422a116af73dd xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch +6efe83c9951dcba20f18095814d19089e19230c6876bbdab32cc2f1165bb07c8 xsa43-pvops.patch +c8981bb73042f2a14a32c80e15f85d31e78c425808de437c455e0f4f90b17ec2 0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch +4aaf19e18a71a502ff12ebacaf7c8d0c14b4c3d46d88058dbce0cb567aed0f3c 0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch +c4236fa6150c9cba98280aadc2daccd917410148e06d2231cc8c5370d1735577 kernelconfig.x86 +3afefde6d92e1c41f6487c2279c5b707ef42ce42e4f7fe9e37d482c3e24ec3b1 kernelconfig.x86_64" +sha512sums="6e3354184d1799228a2d33b92e4a6b743cc24352b8ccc1fd487fab07ab97be2aa03ba87b8406a177581692db1fd40674fbd4e213a782cbe0a6a969b10c4c17a1 linux-3.6.tar.xz +08423f145ee7aef49f50d95032595ee79250135b6ecfa72f802502a277f215b63c4dc04ed149fe4ed7cdaa5ef063b8003b7f72f41d8417e45efbe7e30e621387 patch-3.6.11.xz +8b9656c1b535dea4e32fcb9a6b44ae6c12548a262f40bd94ea81c4f475d301da20cbf0ab0eef77a61dcdddaad21b850858ddc1a03c741bf6f2ae285310f49508 patch-3.6.11-al3.patch +f2b6735194597e9296f0fccd65bdbfd6f2489c40526294f00a1ad543e8cb3b0a41ceee26cd2f0cbfa31ec423927c5e693d63856e65c7ad8a79666176595aca8a grsecurity-2.9.1-3.6.11-al1-unofficial-0.patch +b6fdf376009f0f0f3fa194cb11be97343e4d394cf5d3547de6cfca8ad619c5bd3f60719331fd8cfadc47f09d22be8376ba5f871b46b24887ea73fe47e233a54e 0004-arp-flush-arp-cache-on-device-change.patch +d9c91b57415c7c3c365add35565f72ba6225e48212f55abb209e1f426902206543edefb9fc01715357e445b69222a6fb94c3469d701e465450919bad3c83d874 r8169-num-rx-desc.patch +fbbaa9c940f70823f5672db04b78de71233ecdda83d0cbeaeac941d732b0e3b18be38a0ed85d7bd03818114d00d9fe00935532968bee5b4673e8fadfda8c0281 ipv4-remove-output-route-check-in-ipv4_mtu.patch +55ebc903f2384926c7a0a9abbb685b1719d08363fa97deddbd6b632928d94956cdc0b4c75d4b0230d627a02baf249d57033820e0fb11ff6723faa904370a54c8 0001-r8169-remove-the-obsolete-and-incorrect-AMD-workarou.patch +958f5dfb57b6760e92d39027e8ec8d0abc2d99f6b40ef3c108fe90acfe00f3d5fdc2ccebddeffbf70794f6d7a394d985adf40808c2d4c8f7d0591c589b88bbbc r8169-fix-vlan-tag-reordering.patch +29bbd379a06dbb060871b089c9926cadc6e6a2cae141246386f98e5737436ff503b522f08e91bdfa220cf9610cfe19990375e395a2cb01e19cf9b4f37c59a7f1 xsa39-pvops-0001-xen-netback-shutdown-the-ring-if-it-contains-garbage.patch +abb148ef92e516d9632912d10ce5d1f5c1425c25fc601a84cfd3a4ba10a374a7cc8ec38c4ad5d2ba815e17d8b2ce006ce364650aa0418b76b5dcdafd54194707 xsa39-pvops-0002-xen-netback-don-t-leak-pages-on-failure-in-xen_netbk.patch +162885acbdea08dd6089d692fba65bacdcfc02e3617ce6b170b736167294bdb2a9b0eac5d33634fcafc91ca2acac9301e2bc9873aa70c43eba1107d3ae83c4ab xsa39-pvops-0003-xen-netback-free-already-allocated-memory-on-failure.patch +61388dab7a572da5ea598ff430359007288901f00a7f6b243163dc901bf57a2270de8ef897e17273532aab9c08d5c7c2dbce58e6b85e7b3ca724ffe138559802 xsa39-pvops-0004-netback-correct-netbk_tx_err-to-handle-wrap-around.patch +383c00a2520f0e27a4e51ef4e499cd8dc33f75ef4d3d5eab22944126c41de20dccf563d1d05cd557cae4091167de78f44ec5bfb76e33f503b36b5e3d756fcaed xsa43-pvops.patch +025c948e157c1bbc0158fea124205792ecc0abc692ad862c14861a304492c0d2e1f931ad5c6434ba37ae9a8389e9cea0d5fd111f44e99f7dcb9336d7e4bfdb7b 0001-sock_diag-Fix-out-of-bounds-access-to-sock_diag_hand.patch +c95a0c71cee924686185d138b15c94c7593ecac7afa48957204b16bd24b0fbf641fbefd2e18dd5e72eef33f8eb07c24240f5c64b8c73c0bc73d9dfcda44b237a 0002-net-fix-infinite-loop-in-__skb_recv_datagram.patch +065fff74ab7f885a45d98a1cd2bc5aaf6cb9a08d830297aaab54b512b7c90d692e37101810ee36a1f26e757990f763b664788a858b3ab40d0b4821205b9d3995 kernelconfig.x86 +ba9a0b035a97089e51e0a0b723c69148866dabb4baf74c870a005350f7bfd789ab47595c7bc7e218de6d7479d16279cb906aee2ffeda9a6b141ad43ecc26dd4f kernelconfig.x86_64" -- cgit v1.2.3