diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-29 15:05:10 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2017-10-02 09:41:16 +0200 |
commit | 389192b1bbfa5f0dcb013a32d16965c8c33c7afa (patch) | |
tree | d52f2de96c2f96c5a100d4e766001777ebd786b0 | |
parent | c64913cec5cbf78e96771dfe76f14fc7cdd981b7 (diff) | |
download | meta-enea-bsp-arm-389192b1bbfa5f0dcb013a32d16965c8c33c7afa.tar.gz |
linux-cavium: CVE-2017-6214
ipv4/tcp: Infinite loop in tcp_splice_read()
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6214
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
-rw-r--r-- | recipes-kernel/linux/linux-cavium/CVE-2017-6214.patch | 52 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-cavium_4.9.inc | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6214.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6214.patch new file mode 100644 index 0000000..640ed5c --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6214.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 0f895f51a831d73ce24158534784aba5b2a72a9e Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Dumazet <edumazet@google.com> | ||
3 | Date: Fri, 3 Feb 2017 14:59:38 -0800 | ||
4 | Subject: [PATCH] tcp: avoid infinite loop in tcp_splice_read() | ||
5 | |||
6 | [ Upstream commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82 ] | ||
7 | |||
8 | Splicing from TCP socket is vulnerable when a packet with URG flag is | ||
9 | received and stored into receive queue. | ||
10 | |||
11 | __tcp_splice_read() returns 0, and sk_wait_data() immediately | ||
12 | returns since there is the problematic skb in queue. | ||
13 | |||
14 | This is a nice way to burn cpu (aka infinite loop) and trigger | ||
15 | soft lockups. | ||
16 | |||
17 | Again, this gem was found by syzkaller tool. | ||
18 | |||
19 | CVE: CVE-2017-6214 | ||
20 | Upstream-Status: Backport [from kernel.org longterm 4.9.52] | ||
21 | |||
22 | Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.") | ||
23 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
24 | Reported-by: Dmitry Vyukov <dvyukov@google.com> | ||
25 | Cc: Willy Tarreau <w@1wt.eu> | ||
26 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
27 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
28 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
29 | --- | ||
30 | net/ipv4/tcp.c | 6 ++++++ | ||
31 | 1 file changed, 6 insertions(+) | ||
32 | |||
33 | diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c | ||
34 | index 814af89..6a90a0e 100644 | ||
35 | --- a/net/ipv4/tcp.c | ||
36 | +++ b/net/ipv4/tcp.c | ||
37 | @@ -772,6 +772,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos, | ||
38 | ret = -EAGAIN; | ||
39 | break; | ||
40 | } | ||
41 | + /* if __tcp_splice_read() got nothing while we have | ||
42 | + * an skb in receive queue, we do not want to loop. | ||
43 | + * This might happen with URG data. | ||
44 | + */ | ||
45 | + if (!skb_queue_empty(&sk->sk_receive_queue)) | ||
46 | + break; | ||
47 | sk_wait_data(sk, &timeo, NULL); | ||
48 | if (signal_pending(current)) { | ||
49 | ret = sock_intr_errno(timeo); | ||
50 | -- | ||
51 | 1.9.1 | ||
52 | |||
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 6aa43f4..67488ba 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc | |||
@@ -22,6 +22,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi | |||
22 | file://CVE-2017-5669.patch \ | 22 | file://CVE-2017-5669.patch \ |
23 | file://CVE-2017-5970.patch \ | 23 | file://CVE-2017-5970.patch \ |
24 | file://CVE-2017-5986.patch \ | 24 | file://CVE-2017-5986.patch \ |
25 | file://CVE-2017-6214.patch \ | ||
25 | file://CVE-2017-7487.patch \ | 26 | file://CVE-2017-7487.patch \ |
26 | file://CVE-2017-7618.patch \ | 27 | file://CVE-2017-7618.patch \ |
27 | file://CVE-2017-7645.patch \ | 28 | file://CVE-2017-7645.patch \ |