tipc: check minimum bearer MTU

commit 3de81b7588 upstream. Qian Zhang (张谦) reported a potential socket buffer overflow in tipc_msg_build() which is also known as CVE-2016-8632: due to insufficient checks, a buffer overflow can occur if MTU is too short for even tipc headers. As anyone can set device MTU in a user/net namespace, this issue can be abused by a regular user. As agreed in the discussion on Ben Hutchings' original patch, we should check the MTU at the moment a bearer is attached rather than for each processed packet. We also need to repeat the check when bearer MTU is adjusted to new device MTU. UDP case also needs a check to avoid overflow when calculating bearer MTU. Fixes: b97bf3fd8f ("[TIPC] Initial merge") Signed-off-by: Michal Kubecek <mkubecek@suse.cz> Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn> Acked-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backported to 3.2: - Adjust filename, context - Duplicate macro definitions in bearer.h to avoid mutual inclusion - NETDEV_CHANGEMTU and NETDEV_CHANGEADDR cases in net notifier were combined - Drop changes in udp_media.c] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-12-02 09:33:41 +01:00
parent a9aaf8204f
commit 29273d459f
2 changed files with 26 additions and 2 deletions
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@ -47,6 +47,13 @@
 */
 #define TIPC_MEDIA_TYPE_ETH	1

+/* Message header sizes from msg.h - duplicated to avoid mutual inclusion */
+#define INT_H_SIZE                40
+#define MAX_H_SIZE                60
+
+/* minimum bearer MTU */
+#define TIPC_MIN_BEARER_MTU	(MAX_H_SIZE + INT_H_SIZE)
+
 /*
 * Destination address structure used by TIPC bearers when sending messages
 *
@ -209,4 +216,13 @@ static inline int tipc_bearer_send(struct tipc_bearer *b_ptr,
 	return !b_ptr->media->send_msg(buf, b_ptr, dest);
 }

+/* check if device MTU is too low for tipc headers */
+static inline bool tipc_mtu_bad(struct net_device *dev, unsigned int reserve)
+{
+	if (dev->mtu >= TIPC_MIN_BEARER_MTU + reserve)
+		return false;
+	netdev_warn(dev, "MTU too low for tipc bearer\n");
+	return true;
+}
+
 #endif	/* _TIPC_BEARER_H */
--- a/net/tipc/eth_media.c
+++ b/net/tipc/eth_media.c
@ -167,6 +167,10 @@ static int enable_bearer(struct tipc_bearer *tb_ptr)
 	read_unlock(&dev_base_lock);
 	if (!dev)
 		return -ENODEV;
+	if (tipc_mtu_bad(dev, 0)) {
+		dev_put(dev);
+		return -EINVAL;
+	}

 	/* Create Ethernet bearer for device */

@ -227,8 +231,6 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt,
 	if (!eb_ptr->bearer)
 		return NOTIFY_DONE;		/* bearer had been disabled */

-	eb_ptr->bearer->mtu = dev->mtu;
-
 	switch (evt) {
 	case NETDEV_CHANGE:
 		if (netif_carrier_ok(dev))
@ -243,6 +245,12 @@ static int recv_notification(struct notifier_block *nb, unsigned long evt,
 		tipc_block_bearer(eb_ptr->bearer->name);
 		break;
 	case NETDEV_CHANGEMTU:
+		if (tipc_mtu_bad(dev, 0)) {
+			tipc_disable_bearer(eb_ptr->bearer->name);
+			break;
+		}
+		eb_ptr->bearer->mtu = dev->mtu;
+		/* fall through */
 	case NETDEV_CHANGEADDR:
 		tipc_block_bearer(eb_ptr->bearer->name);
 		tipc_continue(eb_ptr->bearer);