tcp: CVE-2019-11478

tcp: tcp_fragment() should apply sane memory limits tcp: refine memory limit test in tcp_fragment() References: https://nvd.nist.gov/vuln/detail/CVE-2019-11478 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5 Change-Id: Ie16affeda488857ce013ce3be578c05619aee446 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-07-10 11:20:38 +0200
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-07-12 14:30:09 +0200
commit: f095fec9a8e21c24ebdc61341bed46d469bd1384 (patch)
tree: 2b71c04614e75e8252021fda0e046399e3285125
parent: 726a4b413d426f2209264501fe0f56c88588988f (diff)
download: enea-kernel-cache-f095fec9a8e21c24ebdc61341bed46d469bd1384.tar.gz
3 files changed, 133 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index e3a9067..ad03493 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -46,3 +46,5 @@ patch CVE-2018-20836-scsi-libsas-fix-a-race-condition-when-smp-task-timeo.patch
 #CVEs fixed in 4.9.182:
 patch CVE-2019-11477-tcp-limit-payload-size-of-sacked-skbs.patch
+patch CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
+patch CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
diff --git a/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
new file mode 100644
index 0000000..57bca2c
--- /dev/null
+++ b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
@@ -0,0 +1,45 @@
+From caa51edc7e9606418611e68de624efbd0042adf5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 21 Jun 2019 06:09:55 -0700
+Subject: [PATCH] tcp: refine memory limit test in tcp_fragment()
+commit b6653b3629e5b88202be3c9abc44713973f5c4b4 upstream.
+tcp_fragment() might be called for skbs in the write queue.
+Memory limits might have been exceeded because tcp_sendmsg() only
+checks limits at full skb (64KB) boundaries.
+Therefore, we need to make sure tcp_fragment() wont punish applications
+that might have setup very low SO_SNDBUF values.
+CVE: CVE-2019-11478
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5]
+Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Christoph Paasch <cpaasch@apple.com>
+Tested-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/tcp_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index d8c6b833f0ce..0c195b0f4216 100644
+--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
+@@ -1185,7 +1185,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
+        if (nsize < 0)
+                nsize = 0;
+ 
+-       if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
+       if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
+                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
+                return -ENOMEM;
+        }
+-- 
+2.20.1
diff --git a/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
new file mode 100644
index 0000000..7d0c4f4
--- /dev/null
+++ b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
@@ -0,0 +1,86 @@
+From e358f4af19db46ca25cc9a8a78412b09ba98859d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 17:40:56 -0700
+Subject: [PATCH] tcp: tcp_fragment() should apply sane memory limits
+commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream.
+Jonathan Looney reported that a malicious peer can force a sender
+to fragment its retransmit queue into tiny skbs, inflating memory
+usage and/or overflow 32bit counters.
+TCP allows an application to queue up to sk_sndbuf bytes,
+so we need to give some allowance for non malicious splitting
+of retransmit queue.
+A new SNMP counter is added to monitor how many times TCP
+did not allow to split an skb if the allowance was exceeded.
+Note that this counter might increase in the case applications
+use SO_SNDBUF socket option to lower sk_sndbuf.
+CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
+        socket is already using more than half the allowed space
+CVE: CVE-2019-11478
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d]
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Jonathan Looney <jtl@netflix.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
+Cc: Bruce Curtis <brucec@netflix.com>
+Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ include/uapi/linux/snmp.h | 1 +
+ net/ipv4/proc.c           | 1 +
+ net/ipv4/tcp_output.c     | 5 +++++
+ 3 files changed, 7 insertions(+)
+diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
+index 3442a26d36d9..56e3460d1f9f 100644
+--- a/include/uapi/linux/snmp.h
+++ b/include/uapi/linux/snmp.h
+@@ -282,6 +282,7 @@ enum
+        LINUX_MIB_TCPKEEPALIVE,                 /* TCPKeepAlive */
+        LINUX_MIB_TCPMTUPFAIL,                  /* TCPMTUPFail */
+        LINUX_MIB_TCPMTUPSUCCESS,               /* TCPMTUPSuccess */
+       LINUX_MIB_TCPWQUEUETOOBIG,              /* TCPWqueueTooBig */
+        __LINUX_MIB_MAX
+ };
+ 
+diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
+index ec48d8eafc7e..8b221398534b 100644
+--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
+@@ -306,6 +306,7 @@ static const struct snmp_mib snmp4_net_list[] = {
+        SNMP_MIB_ITEM("TCPKeepAlive", LINUX_MIB_TCPKEEPALIVE),
+        SNMP_MIB_ITEM("TCPMTUPFail", LINUX_MIB_TCPMTUPFAIL),
+        SNMP_MIB_ITEM("TCPMTUPSuccess", LINUX_MIB_TCPMTUPSUCCESS),
+       SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG),
+        SNMP_MIB_SENTINEL
+ };
+ 
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 2f166662682e..123b2d8fde46 100644
+--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
+@@ -1185,6 +1185,11 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
+        if (nsize < 0)
+                nsize = 0;
+ 
+       if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
+               NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
+               return -ENOMEM;
+       }
+
+        if (skb_unclone(skb, gfp))
+                return -ENOMEM;
+ 
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-07-10 11:20:38 +0200
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-07-12 14:30:09 +0200
commit	f095fec9a8e21c24ebdc61341bed46d469bd1384 (patch)
tree	2b71c04614e75e8252021fda0e046399e3285125
parent	726a4b413d426f2209264501fe0f56c88588988f (diff)
download	enea-kernel-cache-f095fec9a8e21c24ebdc61341bed46d469bd1384.tar.gz

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index e3a9067..ad03493 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc
@@ -46,3 +46,5 @@ patch CVE-2018-20836-scsi-libsas-fix-a-race-condition-when-smp-task-timeo.patch
46		46
47	#CVEs fixed in 4.9.182:	47	#CVEs fixed in 4.9.182:
48	patch CVE-2019-11477-tcp-limit-payload-size-of-sacked-skbs.patch	48	patch CVE-2019-11477-tcp-limit-payload-size-of-sacked-skbs.patch
		49	patch CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
		50	patch CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch


diff --git a/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch new file mode 100644 index 0000000..57bca2c --- /dev/null +++ b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
@@ -0,0 +1,45 @@
		1	From caa51edc7e9606418611e68de624efbd0042adf5 Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Fri, 21 Jun 2019 06:09:55 -0700
		4	Subject: [PATCH] tcp: refine memory limit test in tcp_fragment()
		5
		6	commit b6653b3629e5b88202be3c9abc44713973f5c4b4 upstream.
		7
		8	tcp_fragment() might be called for skbs in the write queue.
		9
		10	Memory limits might have been exceeded because tcp_sendmsg() only
		11	checks limits at full skb (64KB) boundaries.
		12
		13	Therefore, we need to make sure tcp_fragment() wont punish applications
		14	that might have setup very low SO_SNDBUF values.
		15
		16	CVE: CVE-2019-11478
		17	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5]
		18
		19	Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
		20	Signed-off-by: Eric Dumazet <edumazet@google.com>
		21	Reported-by: Christoph Paasch <cpaasch@apple.com>
		22	Tested-by: Christoph Paasch <cpaasch@apple.com>
		23	Signed-off-by: David S. Miller <davem@davemloft.net>
		24	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		25	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		26	---
		27	net/ipv4/tcp_output.c \| 2 +-
		28	1 file changed, 1 insertion(+), 1 deletion(-)
		29
		30	diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
		31	index d8c6b833f0ce..0c195b0f4216 100644
		32	--- a/net/ipv4/tcp_output.c
		33	+++ b/net/ipv4/tcp_output.c
		34	@@ -1185,7 +1185,7 @@ int tcp_fragment(struct sock sk, struct sk_buff skb, u32 len,
		35	if (nsize < 0)
		36	nsize = 0;
		37
		38	- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
		39	+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
		40	NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
		41	return -ENOMEM;
		42	}
		43	--
		44	2.20.1
		45


diff --git a/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch new file mode 100644 index 0000000..7d0c4f4 --- /dev/null +++ b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
@@ -0,0 +1,86 @@
		1	From e358f4af19db46ca25cc9a8a78412b09ba98859d Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Sat, 15 Jun 2019 17:40:56 -0700
		4	Subject: [PATCH] tcp: tcp_fragment() should apply sane memory limits
		5
		6	commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream.
		7
		8	Jonathan Looney reported that a malicious peer can force a sender
		9	to fragment its retransmit queue into tiny skbs, inflating memory
		10	usage and/or overflow 32bit counters.
		11
		12	TCP allows an application to queue up to sk_sndbuf bytes,
		13	so we need to give some allowance for non malicious splitting
		14	of retransmit queue.
		15
		16	A new SNMP counter is added to monitor how many times TCP
		17	did not allow to split an skb if the allowance was exceeded.
		18
		19	Note that this counter might increase in the case applications
		20	use SO_SNDBUF socket option to lower sk_sndbuf.
		21
		22	CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
		23	socket is already using more than half the allowed space
		24
		25	CVE: CVE-2019-11478
		26	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d]
		27
		28	Signed-off-by: Eric Dumazet <edumazet@google.com>
		29	Reported-by: Jonathan Looney <jtl@netflix.com>
		30	Acked-by: Neal Cardwell <ncardwell@google.com>
		31	Acked-by: Yuchung Cheng <ycheng@google.com>
		32	Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
		33	Cc: Bruce Curtis <brucec@netflix.com>
		34	Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
		35	Signed-off-by: David S. Miller <davem@davemloft.net>
		36	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		37	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		38	---
		39	include/uapi/linux/snmp.h \| 1 +
		40	net/ipv4/proc.c \| 1 +
		41	net/ipv4/tcp_output.c \| 5 +++++
		42	3 files changed, 7 insertions(+)
		43
		44	diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
		45	index 3442a26d36d9..56e3460d1f9f 100644
		46	--- a/include/uapi/linux/snmp.h
		47	+++ b/include/uapi/linux/snmp.h
		48	@@ -282,6 +282,7 @@ enum
		49	LINUX_MIB_TCPKEEPALIVE, /* TCPKeepAlive */
		50	LINUX_MIB_TCPMTUPFAIL, /* TCPMTUPFail */
		51	LINUX_MIB_TCPMTUPSUCCESS, /* TCPMTUPSuccess */
		52	+ LINUX_MIB_TCPWQUEUETOOBIG, /* TCPWqueueTooBig */
		53	__LINUX_MIB_MAX
		54	};
		55
		56	diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
		57	index ec48d8eafc7e..8b221398534b 100644
		58	--- a/net/ipv4/proc.c
		59	+++ b/net/ipv4/proc.c
		60	@@ -306,6 +306,7 @@ static const struct snmp_mib snmp4_net_list[] = {
		61	SNMP_MIB_ITEM("TCPKeepAlive", LINUX_MIB_TCPKEEPALIVE),
		62	SNMP_MIB_ITEM("TCPMTUPFail", LINUX_MIB_TCPMTUPFAIL),
		63	SNMP_MIB_ITEM("TCPMTUPSuccess", LINUX_MIB_TCPMTUPSUCCESS),
		64	+ SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG),
		65	SNMP_MIB_SENTINEL
		66	};
		67
		68	diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
		69	index 2f166662682e..123b2d8fde46 100644
		70	--- a/net/ipv4/tcp_output.c
		71	+++ b/net/ipv4/tcp_output.c
		72	@@ -1185,6 +1185,11 @@ int tcp_fragment(struct sock sk, struct sk_buff skb, u32 len,
		73	if (nsize < 0)
		74	nsize = 0;
		75
		76	+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
		77	+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
		78	+ return -ENOMEM;
		79	+ }
		80	+
		81	if (skb_unclone(skb, gfp))
		82	return -ENOMEM;
		83
		84	--
		85	2.20.1
		86