linux-cavium: CVE-2017-6345

llc: skb->sk set without skb->destructor Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6345 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-29 15:05:11 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-10-02 09:41:20 +0200
commit: e91902d91a4334b2cfbfd299fcb798c5e68da8af (patch)
tree: 6565bca00b98210b69440f25f21449382c6e7792
parent: 389192b1bbfa5f0dcb013a32d16965c8c33c7afa (diff)
download: meta-enea-bsp-arm-e91902d91a4334b2cfbfd299fcb798c5e68da8af.tar.gz
2 files changed, 66 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch
new file mode 100644
index 0000000..b0ac548
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch
@@ -0,0 +1,65 @@
+From 42b52783a59cc706c71cdc7096edce4a6f086fd3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 12 Feb 2017 14:03:52 -0800
+Subject: [PATCH] net/llc: avoid BUG_ON() in skb_orphan()
+[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ]
+It seems nobody used LLC since linux-3.12.
+Fortunately fuzzers like syzkaller still know how to run this code,
+otherwise it would be no fun.
+Setting skb->sk without skb->destructor leads to all kinds of
+bugs, we now prefer to be very strict about it.
+Ideally here we would use skb_set_owner() but this helper does not exist yet,
+only CAN seems to have a private helper for that.
+CVE: CVE-2017-6345
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/llc/llc_conn.c | 3 +++
+ net/llc/llc_sap.c  | 3 +++
+ 2 files changed, 6 insertions(+)
+diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
+index 3e821da..8bc5a1b 100644
+--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
+@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb)
+                 * another trick required to cope with how the PROCOM state
+                 * machine works. -acme
+                 */
+               skb_orphan(skb);
+               sock_hold(sk);
+                skb->sk = sk;
+               skb->destructor = sock_efree;
+        }
+        if (!sock_owned_by_user(sk))
+                llc_conn_rcv(sk, skb);
+diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
+index d0e1e80..5404d0d 100644
+--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
+@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb,
+ 
+        ev->type   = LLC_SAP_EV_TYPE_PDU;
+        ev->reason = 0;
+       skb_orphan(skb);
+       sock_hold(sk);
+        skb->sk = sk;
+       skb->destructor = sock_efree;
+        llc_sap_state_process(sap, skb);
+ }
+ 
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc
index 67488ba..c6959ab 100644
--- a/recipes-kernel/linux/linux-cavium_4.9.inc
+++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -23,6 +23,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
           file://CVE-2017-5970.patch \
           file://CVE-2017-5986.patch \
           file://CVE-2017-6214.patch \
+           file://CVE-2017-6345.patch \
           file://CVE-2017-7487.patch \
           file://CVE-2017-7618.patch \
           file://CVE-2017-7645.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-29 15:05:11 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-10-02 09:41:20 +0200
commit	e91902d91a4334b2cfbfd299fcb798c5e68da8af (patch)
tree	6565bca00b98210b69440f25f21449382c6e7792
parent	389192b1bbfa5f0dcb013a32d16965c8c33c7afa (diff)
download	meta-enea-bsp-arm-e91902d91a4334b2cfbfd299fcb798c5e68da8af.tar.gz

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch new file mode 100644 index 0000000..b0ac548 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch
@@ -0,0 +1,65 @@
		1	From 42b52783a59cc706c71cdc7096edce4a6f086fd3 Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Sun, 12 Feb 2017 14:03:52 -0800
		4	Subject: [PATCH] net/llc: avoid BUG_ON() in skb_orphan()
		5
		6	[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ]
		7
		8	It seems nobody used LLC since linux-3.12.
		9
		10	Fortunately fuzzers like syzkaller still know how to run this code,
		11	otherwise it would be no fun.
		12
		13	Setting skb->sk without skb->destructor leads to all kinds of
		14	bugs, we now prefer to be very strict about it.
		15
		16	Ideally here we would use skb_set_owner() but this helper does not exist yet,
		17	only CAN seems to have a private helper for that.
		18
		19	CVE: CVE-2017-6345
		20	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
		21
		22	Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
		23	Signed-off-by: Eric Dumazet <edumazet@google.com>
		24	Reported-by: Andrey Konovalov <andreyknvl@google.com>
		25	Signed-off-by: David S. Miller <davem@davemloft.net>
		26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		27	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		28	---
		29	net/llc/llc_conn.c \| 3 +++
		30	net/llc/llc_sap.c \| 3 +++
		31	2 files changed, 6 insertions(+)
		32
		33	diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
		34	index 3e821da..8bc5a1b 100644
		35	--- a/net/llc/llc_conn.c
		36	+++ b/net/llc/llc_conn.c
		37	@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap sap, struct sk_buff skb)
		38	* another trick required to cope with how the PROCOM state
		39	* machine works. -acme
		40	*/
		41	+ skb_orphan(skb);
		42	+ sock_hold(sk);
		43	skb->sk = sk;
		44	+ skb->destructor = sock_efree;
		45	}
		46	if (!sock_owned_by_user(sk))
		47	llc_conn_rcv(sk, skb);
		48	diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
		49	index d0e1e80..5404d0d 100644
		50	--- a/net/llc/llc_sap.c
		51	+++ b/net/llc/llc_sap.c
		52	@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap sap, struct sk_buff skb,
		53
		54	ev->type = LLC_SAP_EV_TYPE_PDU;
		55	ev->reason = 0;
		56	+ skb_orphan(skb);
		57	+ sock_hold(sk);
		58	skb->sk = sk;
		59	+ skb->destructor = sock_efree;
		60	llc_sap_state_process(sap, skb);
		61	}
		62
		63	--
		64	1.9.1
		65


diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 67488ba..c6959ab 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc
@@ -23,6 +23,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi
23	file://CVE-2017-5970.patch \	23	file://CVE-2017-5970.patch \
24	file://CVE-2017-5986.patch \	24	file://CVE-2017-5986.patch \
25	file://CVE-2017-6214.patch \	25	file://CVE-2017-6214.patch \
		26	file://CVE-2017-6345.patch \
26	file://CVE-2017-7487.patch \	27	file://CVE-2017-7487.patch \
27	file://CVE-2017-7618.patch \	28	file://CVE-2017-7618.patch \
28	file://CVE-2017-7645.patch \	29	file://CVE-2017-7645.patch \