linux-cavium: CVE-2017-6214

ipv4/tcp: Infinite loop in tcp_splice_read() Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6214 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-29 15:05:10 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-10-02 09:41:16 +0200
commit: 389192b1bbfa5f0dcb013a32d16965c8c33c7afa (patch)
tree: d52f2de96c2f96c5a100d4e766001777ebd786b0
parent: c64913cec5cbf78e96771dfe76f14fc7cdd981b7 (diff)
download: meta-enea-bsp-arm-389192b1bbfa5f0dcb013a32d16965c8c33c7afa.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6214.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6214.patch
new file mode 100644
index 0000000..640ed5c
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6214.patch
@@ -0,0 +1,52 @@
+From 0f895f51a831d73ce24158534784aba5b2a72a9e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 3 Feb 2017 14:59:38 -0800
+Subject: [PATCH] tcp: avoid infinite loop in tcp_splice_read()
+[ Upstream commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82 ]
+Splicing from TCP socket is vulnerable when a packet with URG flag is
+received and stored into receive queue.
+__tcp_splice_read() returns 0, and sk_wait_data() immediately
+returns since there is the problematic skb in queue.
+This is a nice way to burn cpu (aka infinite loop) and trigger
+soft lockups.
+Again, this gem was found by syzkaller tool.
+CVE: CVE-2017-6214
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Dmitry Vyukov  <dvyukov@google.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/ipv4/tcp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 814af89..6a90a0e 100644
+--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
+@@ -772,6 +772,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
+                                ret = -EAGAIN;
+                                break;
+                        }
+                       /* if __tcp_splice_read() got nothing while we have
+                        * an skb in receive queue, we do not want to loop.
+                        * This might happen with URG data.
+                        */
+                       if (!skb_queue_empty(&sk->sk_receive_queue))
+                               break;
+                        sk_wait_data(sk, &timeo, NULL);
+                        if (signal_pending(current)) {
+                                ret = sock_intr_errno(timeo);
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index 6aa43f4..67488ba 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -22,6 +22,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2017-5669.patch \
           file://CVE-2017-5970.patch \
           file://CVE-2017-5986.patch \
+           file://CVE-2017-6214.patch \
           file://CVE-2017-7487.patch \
           file://CVE-2017-7618.patch \
           file://CVE-2017-7645.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-29 15:05:10 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-10-02 09:41:16 +0200
commit	389192b1bbfa5f0dcb013a32d16965c8c33c7afa (patch)
tree	d52f2de96c2f96c5a100d4e766001777ebd786b0
parent	c64913cec5cbf78e96771dfe76f14fc7cdd981b7 (diff)
download	meta-enea-bsp-arm-389192b1bbfa5f0dcb013a32d16965c8c33c7afa.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6214.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6214.patch new file mode 100644 index 0000000..640ed5c --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6214.patch
@@ -0,0 +1,52 @@
		1	From 0f895f51a831d73ce24158534784aba5b2a72a9e Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Fri, 3 Feb 2017 14:59:38 -0800
		4	Subject: [PATCH] tcp: avoid infinite loop in tcp_splice_read()
		5
		6	[ Upstream commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82 ]
		7
		8	Splicing from TCP socket is vulnerable when a packet with URG flag is
		9	received and stored into receive queue.
		10
		11	__tcp_splice_read() returns 0, and sk_wait_data() immediately
		12	returns since there is the problematic skb in queue.
		13
		14	This is a nice way to burn cpu (aka infinite loop) and trigger
		15	soft lockups.
		16
		17	Again, this gem was found by syzkaller tool.
		18
		19	CVE: CVE-2017-6214
		20	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
		21
		22	Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
		23	Signed-off-by: Eric Dumazet <edumazet@google.com>
		24	Reported-by: Dmitry Vyukov <dvyukov@google.com>
		25	Cc: Willy Tarreau <w@1wt.eu>
		26	Signed-off-by: David S. Miller <davem@davemloft.net>
		27	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		28	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		29	---
		30	net/ipv4/tcp.c \| 6 ++++++
		31	1 file changed, 6 insertions(+)
		32
		33	diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
		34	index 814af89..6a90a0e 100644
		35	--- a/net/ipv4/tcp.c
		36	+++ b/net/ipv4/tcp.c
		37	@@ -772,6 +772,12 @@ ssize_t tcp_splice_read(struct socket sock, loff_t ppos,
		38	ret = -EAGAIN;
		39	break;
		40	}
		41	+ /* if __tcp_splice_read() got nothing while we have
		42	+ * an skb in receive queue, we do not want to loop.
		43	+ * This might happen with URG data.
		44	+ */
		45	+ if (!skb_queue_empty(&sk->sk_receive_queue))
		46	+ break;
		47	sk_wait_data(sk, &timeo, NULL);
		48	if (signal_pending(current)) {
		49	ret = sock_intr_errno(timeo);
		50	--
		51	1.9.1
		52


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 6aa43f4..67488ba 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -22,6 +22,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
22	file://CVE-2017-5669.patch \	22	file://CVE-2017-5669.patch \
23	file://CVE-2017-5970.patch \	23	file://CVE-2017-5970.patch \
24	file://CVE-2017-5986.patch \	24	file://CVE-2017-5986.patch \
		25	file://CVE-2017-6214.patch \
25	file://CVE-2017-7487.patch \	26	file://CVE-2017-7487.patch \
26	file://CVE-2017-7618.patch \	27	file://CVE-2017-7618.patch \
27	file://CVE-2017-7645.patch \	28	file://CVE-2017-7645.patch \