udp: CVE-2016-10229

udp: properly support MSG_PEEK with truncated buffers References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=5c564705d3f0436ddc70d833b975b870ba560528 Change-Id: Ib677b5853b2ce51ed3a976ddbfb7cf1806badd2e Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 14:23:39 +0200
committer: Andreas Wellving <andreas.wellving@enea.com> 2018-10-17 14:23:39 +0200
commit: 9663eadc371fa93896030458718a49672f9783d8 (patch)
tree: 982f0f75e7afd7e5df989a5db369a0eab879fbdb
parent: 26a5aeb5f6e2d2af95f21cc8b3e80a02c2380a58 (diff)
download: enea-kernel-cache-9663eadc371fa93896030458718a49672f9783d8.tar.gz
2 files changed, 104 insertions, 0 deletions
diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 4451d85..96110a0 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -2,3 +2,6 @@
 patch CVE-2016-7039-net-add-recursion-limit-to-GRO.patch
 patch CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch
 patch CVE-2016-8655-packet-fix-race-condition-in-packet_set_ring.patch
+#fixed in 4.1.40
+patch CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch
diff --git a/patches/cve/CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch b/patches/cve/CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch
new file mode 100644
index 0000000..3ddb434
--- /dev/null
+++ b/patches/cve/CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch
@@ -0,0 +1,101 @@
+From 5c564705d3f0436ddc70d833b975b870ba560528 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 30 Dec 2015 08:51:12 -0500
+Subject: [PATCH] udp: properly support MSG_PEEK with truncated buffers
+[ Upstream commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 ]
+Backport of this upstream commit into stable kernels :
+89c22d8c3b27 ("net: Fix skb csum races when peeking")
+exposed a bug in udp stack vs MSG_PEEK support, when user provides
+a buffer smaller than skb payload.
+In this case,
+skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
+                                 msg->msg_iov);
+returns -EFAULT.
+This bug does not happen in upstream kernels since Al Viro did a great
+job to replace this into :
+skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
+This variant is safe vs short buffers.
+For the time being, instead reverting Herbert Xu patch and add back
+skb->ip_summed invalid changes, simply store the result of
+udp_lib_checksum_complete() so that we avoid computing the checksum a
+second time, and avoid the problematic
+skb_copy_and_csum_datagram_iovec() call.
+This patch can be applied on recent kernels as it avoids a double
+checksumming, then backported to stable kernels as a bug fix.
+CVE: CVE-2016-10229   
+Upstream-Status: Backport  
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/udp.c | 6 ++++--
+ net/ipv6/udp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 031752e..4567189 100644
+--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
+@@ -1264,6 +1264,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
+        int peeked, off = 0;
+        int err;
+        int is_udplite = IS_UDPLITE(sk);
+       bool checksum_valid = false;
+        bool slow;
+ 
+        if (flags & MSG_ERRQUEUE)
+@@ -1289,11 +1290,12 @@ try_again:
+         */
+ 
+        if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
+-               if (udp_lib_checksum_complete(skb))
+               checksum_valid = !udp_lib_checksum_complete(skb);
+               if (!checksum_valid)
+                        goto csum_copy_err;
+        }
+ 
+-       if (skb_csum_unnecessary(skb))
+       if (checksum_valid || skb_csum_unnecessary(skb))
+                err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
+                                            msg, copied);
+        else {
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 1173557..7aa424c 100644
+--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
+@@ -399,6 +399,7 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+        int peeked, off = 0;
+        int err;
+        int is_udplite = IS_UDPLITE(sk);
+       bool checksum_valid = false;
+        int is_udp4;
+        bool slow;
+ 
+@@ -430,11 +431,12 @@ try_again:
+         */
+ 
+        if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
+-               if (udp_lib_checksum_complete(skb))
+               checksum_valid = !udp_lib_checksum_complete(skb);
+               if (!checksum_valid)
+                        goto csum_copy_err;
+        }
+ 
+-       if (skb_csum_unnecessary(skb))
+       if (checksum_valid || skb_csum_unnecessary(skb))
+                err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
+                                            msg, copied);
+        else {
+--
author	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 14:23:39 +0200
committer	Andreas Wellving <andreas.wellving@enea.com>	2018-10-17 14:23:39 +0200
commit	9663eadc371fa93896030458718a49672f9783d8 (patch)
tree	982f0f75e7afd7e5df989a5db369a0eab879fbdb
parent	26a5aeb5f6e2d2af95f21cc8b3e80a02c2380a58 (diff)
download	enea-kernel-cache-9663eadc371fa93896030458718a49672f9783d8.tar.gz

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc index 4451d85..96110a0 100644 --- a/patches/cve/4.1.x.scc +++ b/patches/cve/4.1.x.scc
@@ -2,3 +2,6 @@
2	patch CVE-2016-7039-net-add-recursion-limit-to-GRO.patch	2	patch CVE-2016-7039-net-add-recursion-limit-to-GRO.patch
3	patch CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch	3	patch CVE-2016-8399-net-ping-check-minimum-size-on-ICMP-header-length.patch
4	patch CVE-2016-8655-packet-fix-race-condition-in-packet_set_ring.patch	4	patch CVE-2016-8655-packet-fix-race-condition-in-packet_set_ring.patch
		5
		6	#fixed in 4.1.40
		7	patch CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch


diff --git a/patches/cve/CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch b/patches/cve/CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch new file mode 100644 index 0000000..3ddb434 --- /dev/null +++ b/patches/cve/CVE-2016-10229-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch
@@ -0,0 +1,101 @@
		1	From 5c564705d3f0436ddc70d833b975b870ba560528 Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Wed, 30 Dec 2015 08:51:12 -0500
		4	Subject: [PATCH] udp: properly support MSG_PEEK with truncated buffers
		5
		6	[ Upstream commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 ]
		7
		8	Backport of this upstream commit into stable kernels :
		9	89c22d8c3b27 ("net: Fix skb csum races when peeking")
		10	exposed a bug in udp stack vs MSG_PEEK support, when user provides
		11	a buffer smaller than skb payload.
		12
		13	In this case,
		14	skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
		15	msg->msg_iov);
		16	returns -EFAULT.
		17
		18	This bug does not happen in upstream kernels since Al Viro did a great
		19	job to replace this into :
		20	skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
		21	This variant is safe vs short buffers.
		22
		23	For the time being, instead reverting Herbert Xu patch and add back
		24	skb->ip_summed invalid changes, simply store the result of
		25	udp_lib_checksum_complete() so that we avoid computing the checksum a
		26	second time, and avoid the problematic
		27	skb_copy_and_csum_datagram_iovec() call.
		28
		29	This patch can be applied on recent kernels as it avoids a double
		30	checksumming, then backported to stable kernels as a bug fix.
		31
		32	CVE: CVE-2016-10229
		33	Upstream-Status: Backport
		34
		35	Signed-off-by: Eric Dumazet <edumazet@google.com>
		36	Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
		37	Signed-off-by: David S. Miller <davem@davemloft.net>
		38	Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
		39	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
		40	---
		41	net/ipv4/udp.c \| 6 ++++--
		42	net/ipv6/udp.c \| 6 ++++--
		43	2 files changed, 8 insertions(+), 4 deletions(-)
		44
		45	diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
		46	index 031752e..4567189 100644
		47	--- a/net/ipv4/udp.c
		48	+++ b/net/ipv4/udp.c
		49	@@ -1264,6 +1264,7 @@ int udp_recvmsg(struct sock sk, struct msghdr msg, size_t len, int noblock,
		50	int peeked, off = 0;
		51	int err;
		52	int is_udplite = IS_UDPLITE(sk);
		53	+ bool checksum_valid = false;
		54	bool slow;
		55
		56	if (flags & MSG_ERRQUEUE)
		57	@@ -1289,11 +1290,12 @@ try_again:
		58	*/
		59
		60	if (copied < ulen \|\| UDP_SKB_CB(skb)->partial_cov) {
		61	- if (udp_lib_checksum_complete(skb))
		62	+ checksum_valid = !udp_lib_checksum_complete(skb);
		63	+ if (!checksum_valid)
		64	goto csum_copy_err;
		65	}
		66
		67	- if (skb_csum_unnecessary(skb))
		68	+ if (checksum_valid \|\| skb_csum_unnecessary(skb))
		69	err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
		70	msg, copied);
		71	else {
		72	diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
		73	index 1173557..7aa424c 100644
		74	--- a/net/ipv6/udp.c
		75	+++ b/net/ipv6/udp.c
		76	@@ -399,6 +399,7 @@ int udpv6_recvmsg(struct sock sk, struct msghdr msg, size_t len,
		77	int peeked, off = 0;
		78	int err;
		79	int is_udplite = IS_UDPLITE(sk);
		80	+ bool checksum_valid = false;
		81	int is_udp4;
		82	bool slow;
		83
		84	@@ -430,11 +431,12 @@ try_again:
		85	*/
		86
		87	if (copied < ulen \|\| UDP_SKB_CB(skb)->partial_cov) {
		88	- if (udp_lib_checksum_complete(skb))
		89	+ checksum_valid = !udp_lib_checksum_complete(skb);
		90	+ if (!checksum_valid)
		91	goto csum_copy_err;
		92	}
		93
		94	- if (skb_csum_unnecessary(skb))
		95	+ if (checksum_valid \|\| skb_csum_unnecessary(skb))
		96	err = skb_copy_datagram_msg(skb, sizeof(struct udphdr),
		97	msg, copied);
		98	else {
		99	--
		100
		101