From: Greg Kroah-Hartman Date: Sat, 26 Jan 2019 10:38:23 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.9.154~68 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=914a5b566291d86755a3740a8e65706f493ce8fe;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch --- diff --git a/queue-3.18/openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch b/queue-3.18/openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch new file mode 100644 index 00000000000..fa4bd1d01c8 --- /dev/null +++ b/queue-3.18/openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Jan 26 11:30:37 CET 2019 +From: Ross Lagerwall +Date: Mon, 14 Jan 2019 09:16:56 +0000 +Subject: openvswitch: Avoid OOB read when parsing flow nlattrs + +From: Ross Lagerwall + +[ Upstream commit 04a4af334b971814eedf4e4a413343ad3287d9a9 ] + +For nested and variable attributes, the expected length of an attribute +is not known and marked by a negative number. This results in an OOB +read when the expected length is later used to check if the attribute is +all zeros. Fix this by using the actual length of the attribute rather +than the expected length. + +Signed-off-by: Ross Lagerwall +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/flow_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -314,7 +314,7 @@ static int __parse_flow_nlattrs(const st + return -EINVAL; + } + +- if (!nz || !is_all_zero(nla_data(nla), expected_len)) { ++ if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) { + attrs |= 1 << type; + a[type] = nla; + } diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..f3b12ce7d64 --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1 @@ +openvswitch-avoid-oob-read-when-parsing-flow-nlattrs.patch