diff options
author | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-17 14:23:39 +0200 |
---|---|---|
committer | Andreas Wellving <andreas.wellving@enea.com> | 2018-10-17 14:23:39 +0200 |
commit | 9663eadc371fa93896030458718a49672f9783d8 (patch) | |
tree | 982f0f75e7afd7e5df989a5db369a0eab879fbdb | |
parent | 26a5aeb5f6e2d2af95f21cc8b3e80a02c2380a58 (diff) | |
download | enea-kernel-cache-9663eadc371fa93896030458718a49672f9783d8.tar.gz |
udp: CVE-2016-10229
udp: properly support MSG_PEEK with truncated buffers
References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=5c564705d3f0436ddc70d833b975b870ba560528
Change-Id: Ib677b5853b2ce51ed3a976ddbfb7cf1806badd2e
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
-rw-r--r-- | patches/cve/4.1.x.scc | 3 | ||||
-rw-r--r-- | patches/cve/CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch | 101 |
2 files changed, 104 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 4451d85..96110a0 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc | |||
@@ -2,3 +2,6 @@ | |||
2 | patch CVE-2016-7039-net-add-recursion-limit-to-GRO.patch | 2 | patch CVE-2016-7039-net-add-recursion-limit-to-GRO.patch |
3 | patch CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch | 3 | patch CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch |
4 | patch CVE-2016-8655-packet-fix-race-condition-in-packet_set_ring.patch | 4 | patch CVE-2016-8655-packet-fix-race-condition-in-packet_set_ring.patch |
5 | |||
6 | #fixed in 4.1.40 | ||
7 | patch CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch | ||
diff --git a/patches/cve/CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch b/patches/cve/CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch new file mode 100644 index 0000000..3ddb434 --- /dev/null +++ b/patches/cve/CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch | |||
@@ -0,0 +1,101 @@ | |||
1 | From 5c564705d3f0436ddc70d833b975b870ba560528 Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Dumazet <edumazet@google.com> | ||
3 | Date: Wed, 30 Dec 2015 08:51:12 -0500 | ||
4 | Subject: [PATCH] udp: properly support MSG_PEEK with truncated buffers | ||
5 | |||
6 | [ Upstream commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 ] | ||
7 | |||
8 | Backport of this upstream commit into stable kernels : | ||
9 | 89c22d8c3b27 ("net: Fix skb csum races when peeking") | ||
10 | exposed a bug in udp stack vs MSG_PEEK support, when user provides | ||
11 | a buffer smaller than skb payload. | ||
12 | |||
13 | In this case, | ||
14 | skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), | ||
15 | msg->msg_iov); | ||
16 | returns -EFAULT. | ||
17 | |||
18 | This bug does not happen in upstream kernels since Al Viro did a great | ||
19 | job to replace this into : | ||
20 | skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); | ||
21 | This variant is safe vs short buffers. | ||
22 | |||
23 | For the time being, instead reverting Herbert Xu patch and add back | ||
24 | skb->ip_summed invalid changes, simply store the result of | ||
25 | udp_lib_checksum_complete() so that we avoid computing the checksum a | ||
26 | second time, and avoid the problematic | ||
27 | skb_copy_and_csum_datagram_iovec() call. | ||
28 | |||
29 | This patch can be applied on recent kernels as it avoids a double | ||
30 | checksumming, then backported to stable kernels as a bug fix. | ||
31 | |||
32 | CVE: CVE-2016-10229 | ||
33 | Upstream-Status: Backport | ||
34 | |||
35 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
36 | Acked-by: Herbert Xu <herbert@gondor.apana.org.au> | ||
37 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
38 | Signed-off-by: Sasha Levin <alexander.levin@verizon.com> | ||
39 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
40 | --- | ||
41 | net/ipv4/udp.c | 6 ++++-- | ||
42 | net/ipv6/udp.c | 6 ++++-- | ||
43 | 2 files changed, 8 insertions(+), 4 deletions(-) | ||
44 | |||
45 | diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c | ||
46 | index 031752e..4567189 100644 | ||
47 | --- a/net/ipv4/udp.c | ||
48 | +++ b/net/ipv4/udp.c | ||
49 | @@ -1264,6 +1264,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, | ||
50 | int peeked, off = 0; | ||
51 | int err; | ||
52 | int is_udplite = IS_UDPLITE(sk); | ||
53 | + bool checksum_valid = false; | ||
54 | bool slow; | ||
55 | |||
56 | if (flags & MSG_ERRQUEUE) | ||
57 | @@ -1289,11 +1290,12 @@ try_again: | ||
58 | */ | ||
59 | |||
60 | if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { | ||
61 | - if (udp_lib_checksum_complete(skb)) | ||
62 | + checksum_valid = !udp_lib_checksum_complete(skb); | ||
63 | + if (!checksum_valid) | ||
64 | goto csum_copy_err; | ||
65 | } | ||
66 | |||
67 | - if (skb_csum_unnecessary(skb)) | ||
68 | + if (checksum_valid || skb_csum_unnecessary(skb)) | ||
69 | err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), | ||
70 | msg, copied); | ||
71 | else { | ||
72 | diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c | ||
73 | index 1173557..7aa424c 100644 | ||
74 | --- a/net/ipv6/udp.c | ||
75 | +++ b/net/ipv6/udp.c | ||
76 | @@ -399,6 +399,7 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, | ||
77 | int peeked, off = 0; | ||
78 | int err; | ||
79 | int is_udplite = IS_UDPLITE(sk); | ||
80 | + bool checksum_valid = false; | ||
81 | int is_udp4; | ||
82 | bool slow; | ||
83 | |||
84 | @@ -430,11 +431,12 @@ try_again: | ||
85 | */ | ||
86 | |||
87 | if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { | ||
88 | - if (udp_lib_checksum_complete(skb)) | ||
89 | + checksum_valid = !udp_lib_checksum_complete(skb); | ||
90 | + if (!checksum_valid) | ||
91 | goto csum_copy_err; | ||
92 | } | ||
93 | |||
94 | - if (skb_csum_unnecessary(skb)) | ||
95 | + if (checksum_valid || skb_csum_unnecessary(skb)) | ||
96 | err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), | ||
97 | msg, copied); | ||
98 | else { | ||
99 | -- | ||
100 | |||
101 | |||