DivestOS/Patches/Linux_CVEs/CVE-2017-7308/ANY/0002.patch

From 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b Mon Sep 17 00:00:00 2001
From: Andrey Konovalov <andreyknvl@google.com>
Date: Wed, 29 Mar 2017 16:11:21 +0200
Subject: net/packet: fix overflow in check for tp_frame_nr

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/packet/af_packet.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 2323ee3..3ac286e 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4205,6 +4205,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 		rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
 		if (unlikely(rb->frames_per_block == 0))
 			goto out;
+		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
+			goto out;
 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
 					req->tp_frame_nr))
 			goto out;
-- 
cgit v1.1
Switch to new CVE patchset 2017-11-07 17:32:46 -05:00			`From 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b Mon Sep 17 00:00:00 2001`
			`From: Andrey Konovalov <andreyknvl@google.com>`
			`Date: Wed, 29 Mar 2017 16:11:21 +0200`
			`Subject: net/packet: fix overflow in check for tp_frame_nr`

			`When calculating rb->frames_per_block * req->tp_block_nr the result`
			`can overflow.`

			`Add a check that tp_block_size * tp_block_nr <= UINT_MAX.`

			`Since frames_per_block <= tp_block_size, the expression would`
			`never overflow.`

			`Signed-off-by: Andrey Konovalov <andreyknvl@google.com>`
			`Acked-by: Eric Dumazet <edumazet@google.com>`
			`Signed-off-by: David S. Miller <davem@davemloft.net>`
			`---`
			`net/packet/af_packet.c \| 2 ++`
			`1 file changed, 2 insertions(+)`

			`diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c`
			`index 2323ee3..3ac286e 100644`
			`--- a/net/packet/af_packet.c`
			`+++ b/net/packet/af_packet.c`
			`@@ -4205,6 +4205,8 @@ static int packet_set_ring(struct sock sk, union tpacket_req_u req_u,`
			`rb->frames_per_block = req->tp_block_size / req->tp_frame_size;`
			`if (unlikely(rb->frames_per_block == 0))`
			`goto out;`
			`+ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))`
			`+ goto out;`
			`if (unlikely((rb->frames_per_block * req->tp_block_nr) !=`
			`req->tp_frame_nr))`
			`goto out;`
			`--`
			`cgit v1.1`