1 files changed, 86 insertions, 0 deletions
diff --git a/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
new file mode 100644
index 0000000..7d0c4f4
--- /dev/null
+++ b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
@@ -0,0 +1,86 @@
+From e358f4af19db46ca25cc9a8a78412b09ba98859d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 17:40:56 -0700
+Subject: [PATCH] tcp: tcp_fragment() should apply sane memory limits
+commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream.
+Jonathan Looney reported that a malicious peer can force a sender
+to fragment its retransmit queue into tiny skbs, inflating memory
+usage and/or overflow 32bit counters.
+TCP allows an application to queue up to sk_sndbuf bytes,
+so we need to give some allowance for non malicious splitting
+of retransmit queue.
+A new SNMP counter is added to monitor how many times TCP
+did not allow to split an skb if the allowance was exceeded.
+Note that this counter might increase in the case applications
+use SO_SNDBUF socket option to lower sk_sndbuf.
+CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
+        socket is already using more than half the allowed space
+CVE: CVE-2019-11478
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d]
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Jonathan Looney <jtl@netflix.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
+Cc: Bruce Curtis <brucec@netflix.com>
+Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ include/uapi/linux/snmp.h | 1 +
+ net/ipv4/proc.c           | 1 +
+ net/ipv4/tcp_output.c     | 5 +++++
+ 3 files changed, 7 insertions(+)
+diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
+index 3442a26d36d9..56e3460d1f9f 100644
+--- a/include/uapi/linux/snmp.h
+++ b/include/uapi/linux/snmp.h
+@@ -282,6 +282,7 @@ enum
+        LINUX_MIB_TCPKEEPALIVE,                 /* TCPKeepAlive */
+        LINUX_MIB_TCPMTUPFAIL,                  /* TCPMTUPFail */
+        LINUX_MIB_TCPMTUPSUCCESS,               /* TCPMTUPSuccess */
+       LINUX_MIB_TCPWQUEUETOOBIG,              /* TCPWqueueTooBig */
+        __LINUX_MIB_MAX
+ };
+ 
+diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
+index ec48d8eafc7e..8b221398534b 100644
+--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
+@@ -306,6 +306,7 @@ static const struct snmp_mib snmp4_net_list[] = {
+        SNMP_MIB_ITEM("TCPKeepAlive", LINUX_MIB_TCPKEEPALIVE),
+        SNMP_MIB_ITEM("TCPMTUPFail", LINUX_MIB_TCPMTUPFAIL),
+        SNMP_MIB_ITEM("TCPMTUPSuccess", LINUX_MIB_TCPMTUPSUCCESS),
+       SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG),
+        SNMP_MIB_SENTINEL
+ };
+ 
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 2f166662682e..123b2d8fde46 100644
+--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
+@@ -1185,6 +1185,11 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
+        if (nsize < 0)
+                nsize = 0;
+ 
+       if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
+               NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
+               return -ENOMEM;
+       }
+
+        if (skb_unclone(skb, gfp))
+                return -ENOMEM;
+ 
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch new file mode 100644 index 0000000..7d0c4f4 --- /dev/null +++ b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
@@ -0,0 +1,86 @@
	1	From e358f4af19db46ca25cc9a8a78412b09ba98859d Mon Sep 17 00:00:00 2001
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Sat, 15 Jun 2019 17:40:56 -0700
	4	Subject: [PATCH] tcp: tcp_fragment() should apply sane memory limits
	5
	6	commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream.
	7
	8	Jonathan Looney reported that a malicious peer can force a sender
	9	to fragment its retransmit queue into tiny skbs, inflating memory
	10	usage and/or overflow 32bit counters.
	11
	12	TCP allows an application to queue up to sk_sndbuf bytes,
	13	so we need to give some allowance for non malicious splitting
	14	of retransmit queue.
	15
	16	A new SNMP counter is added to monitor how many times TCP
	17	did not allow to split an skb if the allowance was exceeded.
	18
	19	Note that this counter might increase in the case applications
	20	use SO_SNDBUF socket option to lower sk_sndbuf.
	21
	22	CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
	23	socket is already using more than half the allowed space
	24
	25	CVE: CVE-2019-11478
	26	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d]
	27
	28	Signed-off-by: Eric Dumazet <edumazet@google.com>
	29	Reported-by: Jonathan Looney <jtl@netflix.com>
	30	Acked-by: Neal Cardwell <ncardwell@google.com>
	31	Acked-by: Yuchung Cheng <ycheng@google.com>
	32	Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
	33	Cc: Bruce Curtis <brucec@netflix.com>
	34	Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
	35	Signed-off-by: David S. Miller <davem@davemloft.net>
	36	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	37	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	38	---
	39	include/uapi/linux/snmp.h \| 1 +
	40	net/ipv4/proc.c \| 1 +
	41	net/ipv4/tcp_output.c \| 5 +++++
	42	3 files changed, 7 insertions(+)
	43
	44	diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
	45	index 3442a26d36d9..56e3460d1f9f 100644
	46	--- a/include/uapi/linux/snmp.h
	47	+++ b/include/uapi/linux/snmp.h
	48	@@ -282,6 +282,7 @@ enum
	49	LINUX_MIB_TCPKEEPALIVE, /* TCPKeepAlive */
	50	LINUX_MIB_TCPMTUPFAIL, /* TCPMTUPFail */
	51	LINUX_MIB_TCPMTUPSUCCESS, /* TCPMTUPSuccess */
	52	+ LINUX_MIB_TCPWQUEUETOOBIG, /* TCPWqueueTooBig */
	53	__LINUX_MIB_MAX
	54	};
	55
	56	diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
	57	index ec48d8eafc7e..8b221398534b 100644
	58	--- a/net/ipv4/proc.c
	59	+++ b/net/ipv4/proc.c
	60	@@ -306,6 +306,7 @@ static const struct snmp_mib snmp4_net_list[] = {
	61	SNMP_MIB_ITEM("TCPKeepAlive", LINUX_MIB_TCPKEEPALIVE),
	62	SNMP_MIB_ITEM("TCPMTUPFail", LINUX_MIB_TCPMTUPFAIL),
	63	SNMP_MIB_ITEM("TCPMTUPSuccess", LINUX_MIB_TCPMTUPSUCCESS),
	64	+ SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG),
	65	SNMP_MIB_SENTINEL
	66	};
	67
	68	diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
	69	index 2f166662682e..123b2d8fde46 100644
	70	--- a/net/ipv4/tcp_output.c
	71	+++ b/net/ipv4/tcp_output.c
	72	@@ -1185,6 +1185,11 @@ int tcp_fragment(struct sock sk, struct sk_buff skb, u32 len,
	73	if (nsize < 0)
	74	nsize = 0;
	75
	76	+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
	77	+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
	78	+ return -ENOMEM;
	79	+ }
	80	+
	81	if (skb_unclone(skb, gfp))
	82	return -ENOMEM;
	83
	84	--
	85	2.20.1
	86