diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-29 12:28:03 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-09-29 13:08:46 +0200 |
commit | c64913cec5cbf78e96771dfe76f14fc7cdd981b7 (patch) | |
tree | 249834189b242e3350ed5dd9dcabd33e0599332d | |
parent | 00210ac1b365ae4a8d2067a6456d4f163a514ff9 (diff) | |
download | meta-enea-bsp-arm-c64913cec5cbf78e96771dfe76f14fc7cdd981b7.tar.gz |
linux-cavium: CVE-2017-5986
Reachable BUG_ON from userspace in sctp_wait_for_sndbuf
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5986
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch | 46 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 47 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch new file mode 100644 index 0000000..6750cd5 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 00eff2ebbd229758e90659907724c14dd5a18339 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> | ||
3 | Date: Mon, 6 Feb 2017 18:10:31 -0200 | ||
4 | Subject: [PATCH] sctp: avoid BUG_ON on sctp_wait_for_sndbuf | ||
5 | |||
6 | [ Upstream commit 2dcab598484185dea7ec22219c76dcdd59e3cb90 ] | ||
7 | |||
8 | Alexander Popov reported that an application may trigger a BUG_ON in | ||
9 | sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is | ||
10 | waiting on it to queue more data and meanwhile another thread peels off | ||
11 | the association being used by the first thread. | ||
12 | |||
13 | This patch replaces the BUG_ON call with a proper error handling. It | ||
14 | will return -EPIPE to the original sendmsg call, similarly to what would | ||
15 | have been done if the association wasn't found in the first place. | ||
16 | |||
17 | CVE: CVE-2017-5986 | ||
18 | Upstream-Status: Backport [from kernel.org longterm 4.9.52] | ||
19 | |||
20 | Acked-by: Alexander Popov <alex.popov@linux.com> | ||
21 | Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> | ||
22 | Reviewed-by: Xin Long <lucien.xin@gmail.com> | ||
23 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
24 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
25 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
26 | --- | ||
27 | net/sctp/socket.c | 3 ++- | ||
28 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/net/sctp/socket.c b/net/sctp/socket.c | ||
31 | index ca12aa3..6cbe5bd 100644 | ||
32 | --- a/net/sctp/socket.c | ||
33 | +++ b/net/sctp/socket.c | ||
34 | @@ -7427,7 +7427,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, | ||
35 | */ | ||
36 | release_sock(sk); | ||
37 | current_timeo = schedule_timeout(current_timeo); | ||
38 | - BUG_ON(sk != asoc->base.sk); | ||
39 | + if (sk != asoc->base.sk) | ||
40 | + goto do_error; | ||
41 | lock_sock(sk); | ||
42 | |||
43 | *timeo_p = current_timeo; | ||
44 | -- | ||
45 | 1.9.1 | ||
46 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index fc1a341..6aa43f4 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -21,6 +21,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
21 | file://CVE-2017-5577.patch \ | 21 | file://CVE-2017-5577.patch \ |
22 | file://CVE-2017-5669.patch \ | 22 | file://CVE-2017-5669.patch \ |
23 | file://CVE-2017-5970.patch \ | 23 | file://CVE-2017-5970.patch \ |
24 | file://CVE-2017-5986.patch \ | ||
24 | file://CVE-2017-7487.patch \ | 25 | file://CVE-2017-7487.patch \ |
25 | file://CVE-2017-7618.patch \ | 26 | file://CVE-2017-7618.patch \ |
26 | file://CVE-2017-7645.patch \ | 27 | file://CVE-2017-7645.patch \ |