diff options
| author | Justin M. Forbes <jforbes@fedoraproject.org> | 2019-01-09 08:25:21 -0600 |
|---|---|---|
| committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2019-01-09 08:25:21 -0600 |
| commit | 9070b1ed6d2ebc28acfea93ac8aaf6bc6c29d048 (patch) | |
| tree | 0b1eeb798485e8a2e56ec31a1cabdf57f4958005 | |
| parent | ef937e6595987a5e3866feb17157c578b895438b (diff) | |
| download | kernel-9070b1ed6d2ebc28acfea93ac8aaf6bc6c29d048.tar.gz kernel-9070b1ed6d2ebc28acfea93ac8aaf6bc6c29d048.tar.xz kernel-9070b1ed6d2ebc28acfea93ac8aaf6bc6c29d048.zip | |
Fix CVE-2019-3701 (rhbz 1663729 1663730)
| -rw-r--r-- | CVE-2019-3701.patch | 42 | ||||
| -rw-r--r-- | kernel.spec | 6 |
2 files changed, 48 insertions, 0 deletions
diff --git a/CVE-2019-3701.patch b/CVE-2019-3701.patch new file mode 100644 index 000000000..06ee36a63 --- /dev/null +++ b/CVE-2019-3701.patch @@ -0,0 +1,42 @@ +From linux-netdev Thu Jan 03 12:26:34 2019 +From: Oliver Hartkopp <socketcan () hartkopp ! net> +Date: Thu, 03 Jan 2019 12:26:34 +0000 +To: linux-netdev +Subject: [PATCH] can: gw: ensure DLC boundaries after CAN frame modification +Message-Id: <20190103122634.2530-1-socketcan () hartkopp ! net> +X-MARC-Message: https://marc.info/?l=linux-netdev&m=154651842302479 + +The CAN frame modification rules allow bitwise logical operations which can +be also applied to the can_dlc field. Ensure the manipulation result to +maintain the can_dlc boundaries so that the CAN drivers do not accidently +write arbitrary content beyond the data registers in the CAN controllers +I/O mem when processing can-gw manipulated outgoing frames. When passing these +frames to user space this issue did not have any effect to the kernel or any +leaked data as we always strictly copy sizeof(struct can_frame) bytes. + +Reported-by: Muyu Yu <ieatmuttonchuan@gmail.com> +Reported-by: Marcus Meissner <meissner@suse.de> +Tested-by: Muyu Yu <ieatmuttonchuan@gmail.com> +Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> +Cc: linux-stable <stable@vger.kernel.org> # >= v3.2 +--- + net/can/gw.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/can/gw.c b/net/can/gw.c +index faa3da88a127..9000d9b8a133 100644 +--- a/net/can/gw.c ++++ b/net/can/gw.c +@@ -418,6 +418,10 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data) + + /* check for checksum updates when the CAN frame has been modified */ + if (modidx) { ++ /* ensure DLC boundaries after the different mods */ ++ if (cf->can_dlc > 8) ++ cf->can_dlc = 8; ++ + if (gwj->mod.csumfunc.crc8) + (*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8); + +-- +2.19.2 diff --git a/kernel.spec b/kernel.spec index 99affe030..2458be3b9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -621,6 +621,9 @@ Patch504: iio-accel-kxcjk1013-Add-more-hardware-ids.patch # rhbz 1645070 patch queued upstream for merging into 4.21 Patch505: asus-fx503-keyb.patch +# CVE-2019-3701 rhbz 1663729 1663730 +Patch506: CVE-2019-3701.patch + # END OF PATCH DEFINITIONS %endif @@ -1892,6 +1895,9 @@ fi # # %changelog +* Tue Jan 07 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix CVE-2019-3701 (rhbz 1663729 1663730) + * Wed Jan 02 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 4.20.0-200 - Linux v4.20.0 |