[PATCH 4.4 0/4] CVE fixes for 4.4

[PATCH 4.4 0/4] CVE fixes for 4.4

[Juerg Haefliger]

This patch series fixes the following CVEs in the 4.4 kernel:
  - CVE-2016-0758
  - CVE-2016-5243
  - CVE-2016-5244
  - CVE-2016-6130

David Howells (1):
  KEYS: Fix ASN.1 indefinite length object parsing

Kangjie Lu (2):
  tipc: fix an infoleak in tipc_nl_compat_link_dump
  rds: fix an infoleak in rds_inc_info_copy

Martin Schwidefsky (1):
  s390/sclp_ctl: fix potential information leak with /dev/sclp

 drivers/s390/char/sclp_ctl.c | 12 +++++++-----
 lib/asn1_decoder.c           | 16 +++++++++-------
 net/rds/recv.c               |  2 ++
 net/tipc/netlink_compat.c    |  3 ++-
 4 files changed, 20 insertions(+), 13 deletions(-)

-- 
2.9.3

[PATCH 4.4 1/4] KEYS: Fix ASN.1 indefinite length object parsing

[Juerg Haefliger]

From: David Howells <dhowells@redhat.com>

commit 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa upstream.

This fixes CVE-2016-0758.

In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor.  With a sufficiently large size indicated, the check:

	datalen - dp < 2

may then fail due to integer overflow.

Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.

Whilst we're at it, make the following changes:

 (1) Check the maximum size of extended length does not exceed the capacity
     of the variable it's being stored in (len) rather than the type that
     variable is assumed to be (size_t).

 (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
     integer 0.

 (3) To reduce confusion, move the initialisation of len outside of:

	for (len = 0; n > 0; n--) {

     since it doesn't have anything to do with the loop counter n.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
---
 lib/asn1_decoder.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
index 2b3f46c049d4..554522934c44 100644
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -74,7 +74,7 @@ next_tag:
 
 	/* Extract a tag from the data */
 	tag = data[dp++];
-	if (tag == 0) {
+	if (tag == ASN1_EOC) {
 		/* It appears to be an EOC. */
 		if (data[dp++] != 0)
 			goto invalid_eoc;
@@ -96,10 +96,8 @@ next_tag:
 
 	/* Extract the length */
 	len = data[dp++];
-	if (len <= 0x7f) {
-		dp += len;
-		goto next_tag;
-	}
+	if (len <= 0x7f)
+		goto check_length;
 
 	if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
 		/* Indefinite length */
@@ -110,14 +108,18 @@ next_tag:
 	}
 
 	n = len - 0x80;
-	if (unlikely(n > sizeof(size_t) - 1))
+	if (unlikely(n > sizeof(len) - 1))
 		goto length_too_long;
 	if (unlikely(n > datalen - dp))
 		goto data_overrun_error;
-	for (len = 0; n > 0; n--) {
+	len = 0;
+	for (; n > 0; n--) {
 		len <<= 8;
 		len |= data[dp++];
 	}
+check_length:
+	if (len > datalen - dp)
+		goto data_overrun_error;
 	dp += len;
 	goto next_tag;
 
-- 
2.9.3

[PATCH 4.4 2/4] tipc: fix an infoleak in tipc_nl_compat_link_dump

[Juerg Haefliger]

From: Kangjie Lu <kangjielu@gmail.com>

commit 5d2be1422e02ccd697ccfcd45c85b4a26e6178e2 upstream.

This fixes CVE-2016-5243.

link_info.str is a char array of size 60. Memory after the NULL
byte is not initialized. Sending the whole object out can cause
a leak.

Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
---
 net/tipc/netlink_compat.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 2ed732bfe94b..f4f27c7c54fb 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -574,7 +574,8 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
 
 	link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
 	link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
-	strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]));
+	nla_strlcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME]),
+		    TIPC_MAX_LINK_NAME);
 
 	return tipc_add_tlv(msg->rep, TIPC_TLV_LINK_INFO,
 			    &link_info, sizeof(link_info));
-- 
2.9.3

[PATCH 4.4 3/4] rds: fix an infoleak in rds_inc_info_copy

[Juerg Haefliger]

From: Kangjie Lu <kangjielu@gmail.com>

commit 4116def2337991b39919f3b448326e21c40e0dbb upstream.

This fixes CVE-2016-5244.

The last field "flags" of object "minfo" is not initialized.
Copying this object out may leak kernel stack data.
Assign 0 to it to avoid leak.

Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
---
 net/rds/recv.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/rds/recv.c b/net/rds/recv.c
index a00462b0d01d..0514af3ab378 100644
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -545,5 +545,7 @@ void rds_inc_info_copy(struct rds_incoming *inc,
 		minfo.fport = inc->i_hdr.h_dport;
 	}
 
+	minfo.flags = 0;
+
 	rds_info_copy(iter, &minfo, sizeof(minfo));
 }
-- 
2.9.3

[PATCH 4.4 4/4] s390/sclp_ctl: fix potential information leak with /dev/sclp

[Juerg Haefliger]

From: Martin Schwidefsky <schwidefsky@de.ibm.com>

commit 532c34b5fbf1687df63b3fcd5b2846312ac943c6 upstream.

This fixes CVE-2016-6130.

The sclp_ctl_ioctl_sccb function uses two copy_from_user calls to
retrieve the sclp request from user space. The first copy_from_user
fetches the length of the request which is stored in the first two
bytes of the request. The second copy_from_user gets the complete
sclp request, but this copies the length field a second time.
A malicious user may have changed the length in the meantime.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
---
 drivers/s390/char/sclp_ctl.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/s390/char/sclp_ctl.c b/drivers/s390/char/sclp_ctl.c
index 648cb86afd42..ea607a4a1bdd 100644
--- a/drivers/s390/char/sclp_ctl.c
+++ b/drivers/s390/char/sclp_ctl.c
@@ -56,6 +56,7 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area)
 {
 	struct sclp_ctl_sccb ctl_sccb;
 	struct sccb_header *sccb;
+	unsigned long copied;
 	int rc;
 
 	if (copy_from_user(&ctl_sccb, user_area, sizeof(ctl_sccb)))
@@ -65,14 +66,15 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area)
 	sccb = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
 	if (!sccb)
 		return -ENOMEM;
-	if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sizeof(*sccb))) {
+	copied = PAGE_SIZE -
+		copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), PAGE_SIZE);
+	if (offsetof(struct sccb_header, length) +
+	    sizeof(sccb->length) > copied || sccb->length > copied) {
 		rc = -EFAULT;
 		goto out_free;
 	}
-	if (sccb->length > PAGE_SIZE || sccb->length < 8)
-		return -EINVAL;
-	if (copy_from_user(sccb, u64_to_uptr(ctl_sccb.sccb), sccb->length)) {
-		rc = -EFAULT;
+	if (sccb->length < 8) {
+		rc = -EINVAL;
 		goto out_free;
 	}
 	rc = sclp_sync_request(ctl_sccb.cmdw, sccb);
-- 
2.9.3

Re: [PATCH 4.4 0/4] CVE fixes for 4.4

[Juerg Haefliger]

[-- Attachment #1.1: Type: text/plain, Size: 1057 bytes --]

Hi Greg,

Did you have a chance to look at the below 4 patches?

Did I do something wrong when submitting them or are there other reasons not to include them in the
4.4 kernel?

Btw, they still apply on top of 4.4.20.

Thanks
...Juerg


On 08/29/2016 03:38 PM, Juerg Haefliger wrote:
> This patch series fixes the following CVEs in the 4.4 kernel:
>   - CVE-2016-0758
>   - CVE-2016-5243
>   - CVE-2016-5244
>   - CVE-2016-6130
> 
> David Howells (1):
>   KEYS: Fix ASN.1 indefinite length object parsing
> 
> Kangjie Lu (2):
>   tipc: fix an infoleak in tipc_nl_compat_link_dump
>   rds: fix an infoleak in rds_inc_info_copy
> 
> Martin Schwidefsky (1):
>   s390/sclp_ctl: fix potential information leak with /dev/sclp
> 
>  drivers/s390/char/sclp_ctl.c | 12 +++++++-----
>  lib/asn1_decoder.c           | 16 +++++++++-------
>  net/rds/recv.c               |  2 ++
>  net/tipc/netlink_compat.c    |  3 ++-
>  4 files changed, 20 insertions(+), 13 deletions(-)
> 


-- 
Juerg Haefliger
Hewlett Packard Enterprise


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 4.4 0/4] CVE fixes for 4.4

[Greg KH]

On Wed, Sep 07, 2016 at 12:50:13PM +0200, Juerg Haefliger wrote:
> Hi Greg,
> 
> Did you have a chance to look at the below 4 patches?

Not yet, I have over 300 pending patches for the stable kernels to work
through at the moment.  Don't worry, these aren't lost, just sitting in
the middle of all of them :)

thanks,

greg k-h

Re: [PATCH 4.4 0/4] CVE fixes for 4.4

[Greg KH]

On Mon, Aug 29, 2016 at 03:38:56PM +0200, Juerg Haefliger wrote:
> This patch series fixes the following CVEs in the 4.4 kernel:
>   - CVE-2016-0758
>   - CVE-2016-5243
>   - CVE-2016-5244
>   - CVE-2016-6130

The first two patches came in through a different request before yours,
but the second two here are now applied, so all should be fine in the
next releases.

thanks,

greg k-h