From: Greg Kroah-Hartman Date: Thu, 10 Feb 2022 18:21:17 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.9.301~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=263b95bdceae920af4d06cd91f629a7a26391d55;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: tipc-improve-size-validations-for-received-domain-records.patch --- diff --git a/queue-5.10/series b/queue-5.10/series index 3dec649e321..6c41a2f6f7e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1,3 +1,4 @@ moxart-fix-potential-use-after-free-on-remove-path.patch kvm-s390-return-error-on-sida-memop-on-normal-guest.patch crypto-api-move-cryptomgr-soft-dependency-into-algapi.patch +tipc-improve-size-validations-for-received-domain-records.patch diff --git a/queue-5.10/tipc-improve-size-validations-for-received-domain-records.patch b/queue-5.10/tipc-improve-size-validations-for-received-domain-records.patch new file mode 100644 index 00000000000..f02395873c0 --- /dev/null +++ b/queue-5.10/tipc-improve-size-validations-for-received-domain-records.patch @@ -0,0 +1,84 @@ +From 9aa422ad326634b76309e8ff342c246800621216 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Sat, 5 Feb 2022 14:11:18 -0500 +Subject: tipc: improve size validations for received domain records + +From: Jon Maloy + +commit 9aa422ad326634b76309e8ff342c246800621216 upstream. + +The function tipc_mon_rcv() allows a node to receive and process +domain_record structs from peer nodes to track their views of the +network topology. + +This patch verifies that the number of members in a received domain +record does not exceed the limit defined by MAX_MON_DOMAIN, something +that may otherwise lead to a stack overflow. + +tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where +we are reading a 32 bit message data length field into a uint16. To +avert any risk of bit overflow, we add an extra sanity check for this in +that function. We cannot see that happen with the current code, but +future designers being unaware of this risk, may introduce it by +allowing delivery of very large (> 64k) sk buffers from the bearer +layer. This potential problem was identified by Eric Dumazet. + +This fixes CVE-2022-0435 + +Reported-by: Samuel Page +Reported-by: Eric Dumazet +Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework") +Signed-off-by: Jon Maloy +Reviewed-by: Xin Long +Reviewed-by: Samuel Page +Reviewed-by: Eric Dumazet +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/link.c | 9 +++++++-- + net/tipc/monitor.c | 2 ++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -2159,7 +2159,7 @@ static int tipc_link_proto_rcv(struct ti + struct tipc_msg *hdr = buf_msg(skb); + struct tipc_gap_ack_blks *ga = NULL; + bool reply = msg_probe(hdr), retransmitted = false; +- u16 dlen = msg_data_sz(hdr), glen = 0; ++ u32 dlen = msg_data_sz(hdr), glen = 0; + u16 peers_snd_nxt = msg_next_sent(hdr); + u16 peers_tol = msg_link_tolerance(hdr); + u16 peers_prio = msg_linkprio(hdr); +@@ -2173,6 +2173,10 @@ static int tipc_link_proto_rcv(struct ti + void *data; + + trace_tipc_proto_rcv(skb, false, l->name); ++ ++ if (dlen > U16_MAX) ++ goto exit; ++ + if (tipc_link_is_blocked(l) || !xmitq) + goto exit; + +@@ -2268,7 +2272,8 @@ static int tipc_link_proto_rcv(struct ti + + /* Receive Gap ACK blocks from peer if any */ + glen = tipc_get_gap_ack_blks(&ga, l, hdr, true); +- ++ if(glen > dlen) ++ break; + tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr, + &l->mon_state, l->bearer_id); + +--- a/net/tipc/monitor.c ++++ b/net/tipc/monitor.c +@@ -465,6 +465,8 @@ void tipc_mon_rcv(struct net *net, void + state->probing = false; + + /* Sanity check received domain record */ ++ if (new_member_cnt > MAX_MON_DOMAIN) ++ return; + if (dlen < dom_rec_len(arrv_dom, 0)) + return; + if (dlen != dom_rec_len(arrv_dom, new_member_cnt))