divestos-build/Patches/Linux_CVEs/CVE-2017-11600/3.10/0001.patch

From 0af5440977299a17a0f226ce00d872572a426c14 Mon Sep 17 00:00:00 2001
From: Suren Baghdasaryan <surenb@google.com>
Date: Tue, 15 Aug 2017 15:12:24 -0700
Subject: [PATCH] ANDROID: check dir value of xfrm_userpolicy_id

Check user provided dir value to prevent out-of-bound access
which may occur if dir is not less than XFRM_POLICY_MAX.

(url: http://seclists.org/bugtraq/2017/Jul/30)

Bug: 64257838
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I5bbdf95e14a61bdf5207977d9a5a4465bc848da0
---
 net/xfrm/xfrm_user.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 3f565e495ac6..0cc105403826 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1583,6 +1583,10 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
 	struct sk_buff *skb;
 	int err;
 
+	err = verify_policy_dir(dir);
+	if (err)
+		return ERR_PTR(err);
+
 	skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
 	if (!skb)
 		return ERR_PTR(-ENOMEM);
@@ -2129,6 +2133,10 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
 	int err;
 	int n = 0;
 
+	err = verify_policy_dir(pi->dir);
+	if (err)
+		return err;
+
 	if (attrs[XFRMA_MIGRATE] == NULL)
 		return -EINVAL;
 
@@ -2243,6 +2251,11 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
 {
 	struct net *net = &init_net;
 	struct sk_buff *skb;
+	int err;
+
+	err = verify_policy_dir(dir);
+	if (err)
+		return err;
 
 	skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k), GFP_ATOMIC);
 	if (skb == NULL)
@@ -2871,6 +2884,11 @@ static int xfrm_notify_policy_flush(const struct km_event *c)
 
 static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
+	int err;
+
+	err = verify_policy_dir(dir);
+	if (err)
+		return err;
 
 	switch (c->event) {
 	case XFRM_MSG_NEWPOLICY:
Many new CVE patches 2017-11-25 19:39:02 -05:00			`From 0af5440977299a17a0f226ce00d872572a426c14 Mon Sep 17 00:00:00 2001`
			`From: Suren Baghdasaryan <surenb@google.com>`
			`Date: Tue, 15 Aug 2017 15:12:24 -0700`
			`Subject: [PATCH] ANDROID: check dir value of xfrm_userpolicy_id`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00
Many new CVE patches 2017-11-25 19:39:02 -05:00			`Check user provided dir value to prevent out-of-bound access`
			`which may occur if dir is not less than XFRM_POLICY_MAX.`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00
Many new CVE patches 2017-11-25 19:39:02 -05:00			`(url: http://seclists.org/bugtraq/2017/Jul/30)`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00
Many new CVE patches 2017-11-25 19:39:02 -05:00			`Bug: 64257838`
			`Signed-off-by: Suren Baghdasaryan <surenb@google.com>`
			`Change-Id: I5bbdf95e14a61bdf5207977d9a5a4465bc848da0`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`---`
Many new CVE patches 2017-11-25 19:39:02 -05:00			`net/xfrm/xfrm_user.c \| 18 ++++++++++++++++++`
			`1 file changed, 18 insertions(+)`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00
Many new CVE patches 2017-11-25 19:39:02 -05:00			`diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c`
			`index 3f565e495ac6..0cc105403826 100644`
			`--- a/net/xfrm/xfrm_user.c`
			`+++ b/net/xfrm/xfrm_user.c`
			`@@ -1583,6 +1583,10 @@ static struct sk_buff xfrm_policy_netlink(struct sk_buff in_skb,`
			`struct sk_buff *skb;`
			`int err;`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00
Many new CVE patches 2017-11-25 19:39:02 -05:00			`+ err = verify_policy_dir(dir);`
			`+ if (err)`
			`+ return ERR_PTR(err);`
			`+`
			`skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);`
			`if (!skb)`
			`return ERR_PTR(-ENOMEM);`
			`@@ -2129,6 +2133,10 @@ static int xfrm_do_migrate(struct sk_buff skb, struct nlmsghdr nlh,`
			`int err;`
			`int n = 0;`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00
Many new CVE patches 2017-11-25 19:39:02 -05:00			`+ err = verify_policy_dir(pi->dir);`
			`+ if (err)`
			`+ return err;`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`+`
Many new CVE patches 2017-11-25 19:39:02 -05:00			`if (attrs[XFRMA_MIGRATE] == NULL)`
			`return -EINVAL;`

			`@@ -2243,6 +2251,11 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,`
			`{`
			`struct net *net = &init_net;`
			`struct sk_buff *skb;`
			`+ int err;`
			`+`
			`+ err = verify_policy_dir(dir);`
			`+ if (err)`
			`+ return err;`

			`skb = nlmsg_new(xfrm_migrate_msgsize(num_migrate, !!k), GFP_ATOMIC);`
			`if (skb == NULL)`
			`@@ -2871,6 +2884,11 @@ static int xfrm_notify_policy_flush(const struct km_event *c)`

			`static int xfrm_send_policy_notify(struct xfrm_policy xp, int dir, const struct km_event c)`
			`{`
			`+ int err;`
			`+`
			`+ err = verify_policy_dir(dir);`
			`+ if (err)`
			`+ return err;`

			`switch (c->event) {`
			`case XFRM_MSG_NEWPOLICY:`