5.4-stable patches

added patches:
	tipc-improve-size-validations-for-received-domain-records.patch

diff --git a/queue-5.4/series b/queue-5.4/series
index ff12c79e2b1385e6cd4045ad7d01733b180eaa79..4ff70a9bafd36a29b9953bd5605433350a1a16bc 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -1 +1,2 @@
 moxart-fix-potential-use-after-free-on-remove-path.patch
+tipc-improve-size-validations-for-received-domain-records.patch

diff --git a/queue-5.4/tipc-improve-size-validations-for-received-domain-records.patch b/queue-5.4/tipc-improve-size-validations-for-received-domain-records.patch
new file mode 100644 (file)
index 0000000..c08f065
--- /dev/null
+++ b/queue-5.4/tipc-improve-size-validations-for-received-domain-records.patch
@@ -0,0 +1,85 @@
+From 9aa422ad326634b76309e8ff342c246800621216 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Sat, 5 Feb 2022 14:11:18 -0500
+Subject: tipc: improve size validations for received domain records
+
+From: Jon Maloy <jmaloy@redhat.com>
+
+commit 9aa422ad326634b76309e8ff342c246800621216 upstream.
+
+The function tipc_mon_rcv() allows a node to receive and process
+domain_record structs from peer nodes to track their views of the
+network topology.
+
+This patch verifies that the number of members in a received domain
+record does not exceed the limit defined by MAX_MON_DOMAIN, something
+that may otherwise lead to a stack overflow.
+
+tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where
+we are reading a 32 bit message data length field into a uint16.  To
+avert any risk of bit overflow, we add an extra sanity check for this in
+that function.  We cannot see that happen with the current code, but
+future designers being unaware of this risk, may introduce it by
+allowing delivery of very large (> 64k) sk buffers from the bearer
+layer.  This potential problem was identified by Eric Dumazet.
+
+This fixes CVE-2022-0435
+
+Reported-by: Samuel Page <samuel.page@appgate.com>
+Reported-by: Eric Dumazet <edumazet@google.com>
+Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Samuel Page <samuel.page@appgate.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/link.c    |   10 +++++++---
+ net/tipc/monitor.c |    2 ++
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -1953,15 +1953,18 @@ static int tipc_link_proto_rcv(struct ti
+       u16 peers_tol = msg_link_tolerance(hdr);
+       u16 peers_prio = msg_linkprio(hdr);
+       u16 rcv_nxt = l->rcv_nxt;
+-      u16 dlen = msg_data_sz(hdr);
++      u32 dlen = msg_data_sz(hdr), glen = 0;
+       int mtyp = msg_type(hdr);
+       bool reply = msg_probe(hdr);
+-      u16 glen = 0;
+       void *data;
+       char *if_name;
+       int rc = 0;
+ 
+       trace_tipc_proto_rcv(skb, false, l->name);
++
++      if (dlen > U16_MAX)
++              goto exit;
++
+       if (tipc_link_is_blocked(l) || !xmitq)
+               goto exit;
+ 
+@@ -2063,7 +2066,8 @@ static int tipc_link_proto_rcv(struct ti
+                       if (glen != tipc_gap_ack_blks_sz(ga->gack_cnt))
+                               ga = NULL;
+               }
+-
++              if(glen > dlen)
++                      break;
+               tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
+                            &l->mon_state, l->bearer_id);
+ 
+--- a/net/tipc/monitor.c
++++ b/net/tipc/monitor.c
+@@ -457,6 +457,8 @@ void tipc_mon_rcv(struct net *net, void
+       state->probing = false;
+ 
+       /* Sanity check received domain record */
++      if (new_member_cnt > MAX_MON_DOMAIN)
++              return;
+       if (dlen < dom_rec_len(arrv_dom, 0))
+               return;
+       if (dlen != dom_rec_len(arrv_dom, new_member_cnt))