4.9-stable patches

added patches:
	tipc-improve-size-validations-for-received-domain-records.patch

diff --git a/queue-4.9/series b/queue-4.9/series
index 8a9e665bdadc590de836c14e9a308e6fa200c1fc..996c596d4c6cf7cf5c38850781de95ad3313d0fd 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1,2 +1,3 @@
 cgroup-v1-require-capabilities-to-set-release_agent.patch
 moxart-fix-potential-use-after-free-on-remove-path.patch
+tipc-improve-size-validations-for-received-domain-records.patch

diff --git a/queue-4.9/tipc-improve-size-validations-for-received-domain-records.patch b/queue-4.9/tipc-improve-size-validations-for-received-domain-records.patch
new file mode 100644 (file)
index 0000000..d2ad842
--- /dev/null
+++ b/queue-4.9/tipc-improve-size-validations-for-received-domain-records.patch
@@ -0,0 +1,71 @@
+From 9aa422ad326634b76309e8ff342c246800621216 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Sat, 5 Feb 2022 14:11:18 -0500
+Subject: tipc: improve size validations for received domain records
+
+From: Jon Maloy <jmaloy@redhat.com>
+
+commit 9aa422ad326634b76309e8ff342c246800621216 upstream.
+
+The function tipc_mon_rcv() allows a node to receive and process
+domain_record structs from peer nodes to track their views of the
+network topology.
+
+This patch verifies that the number of members in a received domain
+record does not exceed the limit defined by MAX_MON_DOMAIN, something
+that may otherwise lead to a stack overflow.
+
+tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where
+we are reading a 32 bit message data length field into a uint16.  To
+avert any risk of bit overflow, we add an extra sanity check for this in
+that function.  We cannot see that happen with the current code, but
+future designers being unaware of this risk, may introduce it by
+allowing delivery of very large (> 64k) sk buffers from the bearer
+layer.  This potential problem was identified by Eric Dumazet.
+
+This fixes CVE-2022-0435
+
+Reported-by: Samuel Page <samuel.page@appgate.com>
+Reported-by: Eric Dumazet <edumazet@google.com>
+Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Samuel Page <samuel.page@appgate.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/link.c    |    5 ++++-
+ net/tipc/monitor.c |    2 ++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -1441,12 +1441,15 @@ static int tipc_link_proto_rcv(struct ti
+       u16 peers_tol = msg_link_tolerance(hdr);
+       u16 peers_prio = msg_linkprio(hdr);
+       u16 rcv_nxt = l->rcv_nxt;
+-      u16 dlen = msg_data_sz(hdr);
++      u32 dlen = msg_data_sz(hdr);
+       int mtyp = msg_type(hdr);
+       void *data;
+       char *if_name;
+       int rc = 0;
+ 
++      if (dlen > U16_MAX)
++              goto exit;
++
+       if (tipc_link_is_blocked(l) || !xmitq)
+               goto exit;
+ 
+--- a/net/tipc/monitor.c
++++ b/net/tipc/monitor.c
+@@ -457,6 +457,8 @@ void tipc_mon_rcv(struct net *net, void
+       state->probing = false;
+ 
+       /* Sanity check received domain record */
++      if (new_member_cnt > MAX_MON_DOMAIN)
++              return;
+       if (dlen < dom_rec_len(arrv_dom, 0))
+               return;
+       if (dlen != dom_rec_len(arrv_dom, new_member_cnt))