CVE-2017-7477: macsec: avoid heap overflow in skb_to_sgvec

Bug #1685892 reported by Steve Beattie on 2017-04-24
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Stefan Bader
Zesty
Undecided
Kleber Sacilotto de Souza
linux-hwe (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Stefan Bader
Yakkety
Undecided
Unassigned
Zesty
Undecided
Unassigned

CVE References

Steve Beattie (sbeattie) wrote :

MACsec driver was introduced in 4.6 series.

Changed in linux-hwe (Ubuntu Yakkety):
status: New → Invalid
Changed in linux-hwe (Ubuntu Zesty):
status: New → Invalid
Changed in linux (Ubuntu Xenial):
status: New → Invalid
Stefan Bader (smb) on 2017-04-28
Changed in linux (Ubuntu Zesty):
assignee: nobody → Kleber Sacilotto de Souza (kleber-souza)
status: New → Fix Committed
Changed in linux (Ubuntu Yakkety):
assignee: nobody → Stefan Bader (smb)
status: New → Fix Committed
Stefan Bader (smb) on 2017-04-28
summary: - macsec: avoid heap overflow in skb_to_sgvec
+ CVE-2017-7477: macsec: avoid heap overflow in skb_to_sgvec
Stefan Bader (smb) on 2017-04-28
Changed in linux-hwe (Ubuntu Xenial):
assignee: nobody → Stefan Bader (smb)
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.8.0-52.55

---------------
linux (4.8.0-52.55) yakkety; urgency=low

  * linux: 4.8.0-52.55 -proposed tracker (LP: #1686976)

  * CVE-2017-7477: macsec: avoid heap overflow in skb_to_sgvec (LP: #1685892)
    - macsec: avoid heap overflow in skb_to_sgvec
    - macsec: dynamically allocate space for sglist

  * net/ipv4: original ingress device index set as the loopback interface.
    (LP: #1683982)
    - net: fix incorrect original ingress device index in PKTINFO

  * Touchpad not working correctly after kernel upgrade (LP: #1662589)
    - Input: ALPS - fix V8+ protocol handling (73 03 28)

  * ifup service of network device stay active after driver stop (LP: #1672144)
    - net: use net->count to check whether a netns is alive or not

  * [Hyper-V] mkfs regression in kernel 4.4+ (LP: #1682215)
    - block: relax check on sg gap

  * Potential memory corruption with capi adapters (LP: #1681469)
    - powerpc/mm: Add missing global TLB invalidate if cxl is active

  * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
    image (LP: #1650058)
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT
      transitions
    - net/mlx4_core: Avoid command timeouts during VF driver device shutdown

 -- Stefan Bader <email address hidden> Fri, 28 Apr 2017 12:17:12 +0200

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (14.0 KiB)

This bug was fixed in the package linux - 4.10.0-21.23

---------------
linux (4.10.0-21.23) zesty; urgency=low

  * linux: 4.10.0-21.23 -proposed tracker (LP: #1686414)

  * Need to stop using bzip2 compression in packages for zesty onward
    (LP: #1686782)
    - [Debian] Use default compression for all packages

  * [Hyper-V][SAUCE] pci-hyperv: Use only 16 bit integer for PCI domain
    (LP: #1684971)
    - SAUCE: pci-hyperv: Use only 16 bit integer for PCI domain

  * CVE-2017-7477: macsec: avoid heap overflow in skb_to_sgvec (LP: #1685892)
    - macsec: avoid heap overflow in skb_to_sgvec
    - macsec: dynamically allocate space for sglist

  * Zesty update to 4.10.11 stable release (LP: #1685140)
    - drm/i915: Fix forcewake active domain tracking
    - drm/i915: Move updating color management to before vblank evasion
    - drm/i915/fbdev: Stop repeating tile configuration on stagnation
    - drm/i915: Squelch any ktime/jiffie rounding errors for wait-ioctl
    - drm/i915/gen9: Increase PCODE request timeout to 50ms
    - drm/i915: Store a permanent error in obj->mm.pages
    - drm/i915: Nuke debug messages from the pipe update critical section
    - drm/i915: Avoid tweaking evaluation thresholds on Baytrail v3
    - drm/i915: Reject HDMI 12bpc if the sink doesn't indicate support
    - drm/i915: Only enable hotplug interrupts if the display interrupts are
      enabled
    - drm/i915: Drop support for I915_EXEC_CONSTANTS_* execbuf parameters.
    - drm/i915: Stop using RP_DOWN_EI on Baytrail
    - drm/i915: Avoid rcu_barrier() from reclaim paths (shrinker)
    - drm/i915: Do .init_clock_gating() earlier to avoid it clobbering watermarks
    - orangefs: Dan Carpenter influenced cleanups...
    - orangefs: fix buffer size mis-match between kernel space and user space.
    - nfs: flexfiles: fix kernel OOPS if MDS returns unsupported DS type
    - rt2x00usb: fix anchor initialization
    - rt2x00usb: do not anchor rx and tx urb's
    - MIPS: Introduce irq_stack
    - MIPS: Stack unwinding while on IRQ stack
    - MIPS: Only change $28 to thread_info if coming from user mode
    - MIPS: Switch to the irq_stack in interrupts
    - MIPS: Select HAVE_IRQ_EXIT_ON_IRQ_STACK
    - MIPS: IRQ Stack: Fix erroneous jal to plat_irq_dispatch
    - crypto: caam - fix RNG deinstantiation error checking
    - crypto: caam - fix invalid dereference in caam_rsa_init_tfm()
    - dma-buf: add support for compat ioctl
    - Linux 4.10.11

  * Zesty update to v4.10.10 stable release (LP: #1682130)
    - drm/vmwgfx: Type-check lookups of fence objects
    - drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
    - drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl()
    - drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
    - drm/vmwgfx: Remove getparam error message
    - drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
    - PCI: thunder-pem: Add legacy firmware support for Cavium ThunderX host
      controller
    - PCI: thunder-pem: Fix legacy firmware PEM-specific resources
    - sysfs: be careful of error returns from ops->show()
    - staging: android: ashmem: lseek failed due to no FM...

Changed in linux (Ubuntu Zesty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-hwe - 4.8.0-52.55~16.04.1

---------------
linux-hwe (4.8.0-52.55~16.04.1) xenial; urgency=low

  * linux-hwe: 4.8.0-52.55~16.04.1 -proposed tracker (LP: #1686978)

  * linux: 4.8.0-52.55 -proposed tracker (LP: #1686976)

  * CVE-2017-7477: macsec: avoid heap overflow in skb_to_sgvec (LP: #1685892)
    - macsec: avoid heap overflow in skb_to_sgvec
    - macsec: dynamically allocate space for sglist

  * net/ipv4: original ingress device index set as the loopback interface.
    (LP: #1683982)
    - net: fix incorrect original ingress device index in PKTINFO

  * Touchpad not working correctly after kernel upgrade (LP: #1662589)
    - Input: ALPS - fix V8+ protocol handling (73 03 28)

  * ifup service of network device stay active after driver stop (LP: #1672144)
    - net: use net->count to check whether a netns is alive or not

  * [Hyper-V] mkfs regression in kernel 4.4+ (LP: #1682215)
    - block: relax check on sg gap

  * Potential memory corruption with capi adapters (LP: #1681469)
    - powerpc/mm: Add missing global TLB invalidate if cxl is active

  * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
    image (LP: #1650058)
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT
      transitions
    - net/mlx4_core: Avoid command timeouts during VF driver device shutdown

 -- Stefan Bader <email address hidden> Fri, 28 Apr 2017 12:17:12 +0200

Changed in linux-hwe (Ubuntu Xenial):
status: In Progress → Fix Released
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (14.0 KiB)

This bug was fixed in the package linux - 4.10.0-21.23

---------------
linux (4.10.0-21.23) zesty; urgency=low

  * linux: 4.10.0-21.23 -proposed tracker (LP: #1686414)

  * Need to stop using bzip2 compression in packages for zesty onward
    (LP: #1686782)
    - [Debian] Use default compression for all packages

  * [Hyper-V][SAUCE] pci-hyperv: Use only 16 bit integer for PCI domain
    (LP: #1684971)
    - SAUCE: pci-hyperv: Use only 16 bit integer for PCI domain

  * CVE-2017-7477: macsec: avoid heap overflow in skb_to_sgvec (LP: #1685892)
    - macsec: avoid heap overflow in skb_to_sgvec
    - macsec: dynamically allocate space for sglist

  * Zesty update to 4.10.11 stable release (LP: #1685140)
    - drm/i915: Fix forcewake active domain tracking
    - drm/i915: Move updating color management to before vblank evasion
    - drm/i915/fbdev: Stop repeating tile configuration on stagnation
    - drm/i915: Squelch any ktime/jiffie rounding errors for wait-ioctl
    - drm/i915/gen9: Increase PCODE request timeout to 50ms
    - drm/i915: Store a permanent error in obj->mm.pages
    - drm/i915: Nuke debug messages from the pipe update critical section
    - drm/i915: Avoid tweaking evaluation thresholds on Baytrail v3
    - drm/i915: Reject HDMI 12bpc if the sink doesn't indicate support
    - drm/i915: Only enable hotplug interrupts if the display interrupts are
      enabled
    - drm/i915: Drop support for I915_EXEC_CONSTANTS_* execbuf parameters.
    - drm/i915: Stop using RP_DOWN_EI on Baytrail
    - drm/i915: Avoid rcu_barrier() from reclaim paths (shrinker)
    - drm/i915: Do .init_clock_gating() earlier to avoid it clobbering watermarks
    - orangefs: Dan Carpenter influenced cleanups...
    - orangefs: fix buffer size mis-match between kernel space and user space.
    - nfs: flexfiles: fix kernel OOPS if MDS returns unsupported DS type
    - rt2x00usb: fix anchor initialization
    - rt2x00usb: do not anchor rx and tx urb's
    - MIPS: Introduce irq_stack
    - MIPS: Stack unwinding while on IRQ stack
    - MIPS: Only change $28 to thread_info if coming from user mode
    - MIPS: Switch to the irq_stack in interrupts
    - MIPS: Select HAVE_IRQ_EXIT_ON_IRQ_STACK
    - MIPS: IRQ Stack: Fix erroneous jal to plat_irq_dispatch
    - crypto: caam - fix RNG deinstantiation error checking
    - crypto: caam - fix invalid dereference in caam_rsa_init_tfm()
    - dma-buf: add support for compat ioctl
    - Linux 4.10.11

  * Zesty update to v4.10.10 stable release (LP: #1682130)
    - drm/vmwgfx: Type-check lookups of fence objects
    - drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
    - drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl()
    - drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
    - drm/vmwgfx: Remove getparam error message
    - drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
    - PCI: thunder-pem: Add legacy firmware support for Cavium ThunderX host
      controller
    - PCI: thunder-pem: Fix legacy firmware PEM-specific resources
    - sysfs: be careful of error returns from ops->show()
    - staging: android: ashmem: lseek failed due to no FM...

Changed in linux (Ubuntu):
status: New → Fix Released
Steve Beattie (sbeattie) on 2017-09-26
Changed in linux-hwe (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers