linux-cavium: CVE-2017-5970

ipv4: Invalid IP options could cause skb->dst drop Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5970 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-29 12:28:02 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-09-29 13:08:46 +0200
commit: 00210ac1b365ae4a8d2067a6456d4f163a514ff9 (patch)
tree: 0ba8a58f30a23de0e707ad49a7a128d75ea2773d
parent: e5dfc5da18f3734979f44c47f1442484b40feb24 (diff)
download: meta-enea-bsp-arm-00210ac1b365ae4a8d2067a6456d4f163a514ff9.tar.gz
2 files changed, 55 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5970.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5970.patch
new file mode 100644
index 0000000..ddfcca1
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5970.patch
@@ -0,0 +1,54 @@
+From f5b54446630a973e1f27b68599366bbd0ac53066 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 4 Feb 2017 11:16:52 -0800
+Subject: [PATCH] ipv4: keep skb->dst around in presence of IP options
+[ Upstream commit 34b2cef20f19c87999fff3da4071e66937db9644 ]
+Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
+is accessed.
+ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
+are present.
+We could refine the test to the presence of ts_needtime or srr,
+but IP options are not often used, so let's be conservative.
+Thanks to syzkaller team for finding this bug.
+CVE: CVE-2017-5970
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/ipv4/ip_sockglue.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
+index f226f408..65336f3 100644
+--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
+@@ -1215,7 +1215,14 @@ void ipv4_pktinfo_prepare(const struct sock *sk, struct sk_buff *skb)
+                pktinfo->ipi_ifindex = 0;
+                pktinfo->ipi_spec_dst.s_addr = 0;
+        }
+-       skb_dst_drop(skb);
+       /* We need to keep the dst for __ip_options_echo()
+        * We could restrict the test to opt.ts_needtime || opt.srr,
+        * but the following is good enough as IP options are not often used.
+        */
+       if (unlikely(IPCB(skb)->opt.optlen))
+               skb_dst_force(skb);
+       else
+               skb_dst_drop(skb);
+ }
+ 
+ int ip_setsockopt(struct sock *sk, int level,
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index e35c12f..fc1a341 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -20,6 +20,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2017-5551.patch \
           file://CVE-2017-5577.patch \
           file://CVE-2017-5669.patch \
+           file://CVE-2017-5970.patch \
           file://CVE-2017-7487.patch \
           file://CVE-2017-7618.patch \
           file://CVE-2017-7645.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-29 12:28:02 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-09-29 13:08:46 +0200
commit	00210ac1b365ae4a8d2067a6456d4f163a514ff9 (patch)
tree	0ba8a58f30a23de0e707ad49a7a128d75ea2773d
parent	e5dfc5da18f3734979f44c47f1442484b40feb24 (diff)
download	meta-enea-bsp-arm-00210ac1b365ae4a8d2067a6456d4f163a514ff9.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5970.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5970.patch new file mode 100644 index 0000000..ddfcca1 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5970.patch
@@ -0,0 +1,54 @@
		1	From f5b54446630a973e1f27b68599366bbd0ac53066 Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Sat, 4 Feb 2017 11:16:52 -0800
		4	Subject: [PATCH] ipv4: keep skb->dst around in presence of IP options
		5
		6	[ Upstream commit 34b2cef20f19c87999fff3da4071e66937db9644 ]
		7
		8	Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
		9	is accessed.
		10
		11	ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
		12	are present.
		13
		14	We could refine the test to the presence of ts_needtime or srr,
		15	but IP options are not often used, so let's be conservative.
		16
		17	Thanks to syzkaller team for finding this bug.
		18
		19	CVE: CVE-2017-5970
		20	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
		21
		22	Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
		23	Signed-off-by: Eric Dumazet <edumazet@google.com>
		24	Reported-by: Andrey Konovalov <andreyknvl@google.com>
		25	Signed-off-by: David S. Miller <davem@davemloft.net>
		26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		27	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		28	---
		29	net/ipv4/ip_sockglue.c \| 9 ++++++++-
		30	1 file changed, 8 insertions(+), 1 deletion(-)
		31
		32	diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
		33	index f226f408..65336f3 100644
		34	--- a/net/ipv4/ip_sockglue.c
		35	+++ b/net/ipv4/ip_sockglue.c
		36	@@ -1215,7 +1215,14 @@ void ipv4_pktinfo_prepare(const struct sock sk, struct sk_buff skb)
		37	pktinfo->ipi_ifindex = 0;
		38	pktinfo->ipi_spec_dst.s_addr = 0;
		39	}
		40	- skb_dst_drop(skb);
		41	+ /* We need to keep the dst for __ip_options_echo()
		42	+ * We could restrict the test to opt.ts_needtime \|\| opt.srr,
		43	+ * but the following is good enough as IP options are not often used.
		44	+ */
		45	+ if (unlikely(IPCB(skb)->opt.optlen))
		46	+ skb_dst_force(skb);
		47	+ else
		48	+ skb_dst_drop(skb);
		49	}
		50
		51	int ip_setsockopt(struct sock *sk, int level,
		52	--
		53	1.9.1
		54


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index e35c12f..fc1a341 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -20,6 +20,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
20	file://CVE-2017-5551.patch \	20	file://CVE-2017-5551.patch \
21	file://CVE-2017-5577.patch \	21	file://CVE-2017-5577.patch \
22	file://CVE-2017-5669.patch \	22	file://CVE-2017-5669.patch \
		23	file://CVE-2017-5970.patch \
23	file://CVE-2017-7487.patch \	24	file://CVE-2017-7487.patch \
24	file://CVE-2017-7618.patch \	25	file://CVE-2017-7618.patch \
25	file://CVE-2017-7645.patch \	26	file://CVE-2017-7645.patch \