linux-cavium: CVE-2017-5986

Reachable BUG_ON from userspace in sctp_wait_for_sndbuf

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5986

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>

2 files changed, 47 insertions, 0 deletions

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch
new file mode 100644
index 0000000..6750cd5
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch
@@ -0,0 +1,46 @@
+From 00eff2ebbd229758e90659907724c14dd5a18339 Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Mon, 6 Feb 2017 18:10:31 -0200
+Subject: [PATCH] sctp: avoid BUG_ON on sctp_wait_for_sndbuf
+
+[ Upstream commit 2dcab598484185dea7ec22219c76dcdd59e3cb90 ]
+
+Alexander Popov reported that an application may trigger a BUG_ON in
+sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
+waiting on it to queue more data and meanwhile another thread peels off
+the association being used by the first thread.
+
+This patch replaces the BUG_ON call with a proper error handling. It
+will return -EPIPE to the original sendmsg call, similarly to what would
+have been done if the association wasn't found in the first place.
+
+CVE: CVE-2017-5986
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+
+Acked-by: Alexander Popov <alex.popov@linux.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/sctp/socket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index ca12aa3..6cbe5bd 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -7427,7 +7427,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+                 */
+                release_sock(sk);
+                current_timeo = schedule_timeout(current_timeo);
+-               BUG_ON(sk != asoc->base.sk);
++               if (sk != asoc->base.sk)
++                       goto do_error;
+                lock_sock(sk);
+ 
+                *timeo_p = current_timeo;
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index fc1a341..6aa43f4 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -21,6 +21,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
            file://CVE-2017-5577.patch \
            file://CVE-2017-5669.patch \
            file://CVE-2017-5970.patch \
+           file://CVE-2017-5986.patch \
            file://CVE-2017-7487.patch \
            file://CVE-2017-7618.patch \
            file://CVE-2017-7645.patch \