1. 06 Apr, 2017 31 commits
  2. 31 Mar, 2017 5 commits
  3. 24 Mar, 2017 3 commits
    • Thadeu Lima de Souza Cascardo's avatar
    • Andy Whitcroft's avatar
      xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder · e51e1648
      Andy Whitcroft authored
      Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
      wrapping issues.  To ensure we are correctly ensuring that the two ESN
      structures are the same size compare both the overall size as reported
      by xfrm_replay_state_esn_len() and the internal length are the same.
      
      CVE-2017-7184
      Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
      e51e1648
    • Andy Whitcroft's avatar
      xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window · 81b0ca30
      Andy Whitcroft authored
      When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate
      the user supplied replay_esn to ensure that the size is valid and to ensure
      that the replay_window size is within the allocated buffer.  However later
      it is possible to update this replay_esn via a XFRM_MSG_NEWAE call.
      There we again validate the size of the supplied buffer matches the
      existing state and if so inject the contents.  We do not at this point
      check that the replay_window is within the allocated memory.  This leads
      to out-of-bounds reads and writes triggered by netlink packets.  This leads
      to memory corruption and the potential for priviledge escalation.
      
      We already attempt to validate the incoming replay information in
      xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the
      user is not trying to change the size of the replay state buffer which
      includes the replay_esn.  It however does not check the replay_window
      remains within that buffer.  Add validation of the contained replay_window.
      
      CVE-2017-7184
      Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
      81b0ca30
  4. 23 Mar, 2017 1 commit