diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-05-17 10:10:24 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-05-18 16:06:07 +0200 |
commit | 2ee7736a2d27414ae0f6c573f81232ac81585601 (patch) | |
tree | ae03bb1c03aa5e0a04c14ba6ec8b6f443f6b8952 /recipes-kernel/linux | |
parent | 4c7fbbf1721c7e4fcf39e2d0f96f385c1ce1a5cf (diff) | |
download | meta-enea-bsp-arm-krogoth.tar.gz |
kernel: CVE-2016-10229krogoth
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2016-10229
Rference to upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.12.74&id=c3bfbecb1bb575278ce4812746a29c04875a2926
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-kernel/linux')
-rw-r--r-- | recipes-kernel/linux/linux-ls1/CVE-2016-10229.patch | 101 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-ls1_3.12.bbappend | 1 |
2 files changed, 102 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ls1/CVE-2016-10229.patch b/recipes-kernel/linux/linux-ls1/CVE-2016-10229.patch new file mode 100644 index 0000000..287200c --- /dev/null +++ b/recipes-kernel/linux/linux-ls1/CVE-2016-10229.patch | |||
@@ -0,0 +1,101 @@ | |||
1 | From c3bfbecb1bb575278ce4812746a29c04875a2926 Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Dumazet <edumazet@google.com> | ||
3 | Date: Wed, 30 Dec 2015 08:51:12 -0500 | ||
4 | Subject: udp: properly support MSG_PEEK with truncated buffers | ||
5 | |||
6 | commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 upstream. | ||
7 | |||
8 | Backport of this upstream commit into stable kernels : | ||
9 | 89c22d8c3b27 ("net: Fix skb csum races when peeking") | ||
10 | exposed a bug in udp stack vs MSG_PEEK support, when user provides | ||
11 | a buffer smaller than skb payload. | ||
12 | |||
13 | In this case, | ||
14 | skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), | ||
15 | msg->msg_iov); | ||
16 | returns -EFAULT. | ||
17 | |||
18 | This bug does not happen in upstream kernels since Al Viro did a great | ||
19 | job to replace this into : | ||
20 | skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); | ||
21 | This variant is safe vs short buffers. | ||
22 | |||
23 | For the time being, instead reverting Herbert Xu patch and add back | ||
24 | skb->ip_summed invalid changes, simply store the result of | ||
25 | udp_lib_checksum_complete() so that we avoid computing the checksum a | ||
26 | second time, and avoid the problematic | ||
27 | skb_copy_and_csum_datagram_iovec() call. | ||
28 | |||
29 | This patch can be applied on recent kernels as it avoids a double | ||
30 | checksumming, then backported to stable kernels as a bug fix. | ||
31 | |||
32 | CVE: CVE-2016-10229 | ||
33 | Upstream-Status: Backport | ||
34 | |||
35 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
36 | Acked-by: Herbert Xu <herbert@gondor.apana.org.au> | ||
37 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
38 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
39 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
40 | --- | ||
41 | net/ipv4/udp.c | 6 ++++-- | ||
42 | net/ipv6/udp.c | 6 ++++-- | ||
43 | 2 files changed, 8 insertions(+), 4 deletions(-) | ||
44 | |||
45 | diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c | ||
46 | index 4908eaa..f8e3046 100644 | ||
47 | --- a/net/ipv4/udp.c | ||
48 | +++ b/net/ipv4/udp.c | ||
49 | @@ -1210,6 +1210,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, | ||
50 | int peeked, off = 0; | ||
51 | int err; | ||
52 | int is_udplite = IS_UDPLITE(sk); | ||
53 | + bool checksum_valid = false; | ||
54 | bool slow; | ||
55 | |||
56 | if (flags & MSG_ERRQUEUE) | ||
57 | @@ -1235,11 +1236,12 @@ try_again: | ||
58 | */ | ||
59 | |||
60 | if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { | ||
61 | - if (udp_lib_checksum_complete(skb)) | ||
62 | + checksum_valid = !udp_lib_checksum_complete(skb); | ||
63 | + if (!checksum_valid) | ||
64 | goto csum_copy_err; | ||
65 | } | ||
66 | |||
67 | - if (skb_csum_unnecessary(skb)) | ||
68 | + if (checksum_valid || skb_csum_unnecessary(skb)) | ||
69 | err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr), | ||
70 | msg->msg_iov, copied); | ||
71 | else { | ||
72 | diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c | ||
73 | index a6c5ef5..94ca417 100644 | ||
74 | --- a/net/ipv6/udp.c | ||
75 | +++ b/net/ipv6/udp.c | ||
76 | @@ -371,6 +371,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, | ||
77 | int peeked, off = 0; | ||
78 | int err; | ||
79 | int is_udplite = IS_UDPLITE(sk); | ||
80 | + bool checksum_valid = false; | ||
81 | int is_udp4; | ||
82 | bool slow; | ||
83 | |||
84 | @@ -402,11 +403,12 @@ try_again: | ||
85 | */ | ||
86 | |||
87 | if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { | ||
88 | - if (udp_lib_checksum_complete(skb)) | ||
89 | + checksum_valid = !udp_lib_checksum_complete(skb); | ||
90 | + if (!checksum_valid) | ||
91 | goto csum_copy_err; | ||
92 | } | ||
93 | |||
94 | - if (skb_csum_unnecessary(skb)) | ||
95 | + if (checksum_valid || skb_csum_unnecessary(skb)) | ||
96 | err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr), | ||
97 | msg->msg_iov, copied); | ||
98 | else { | ||
99 | -- | ||
100 | cgit v1.1 | ||
101 | |||
diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend index d399448..458357b 100644 --- a/recipes-kernel/linux/linux-ls1_3.12.bbappend +++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend | |||
@@ -12,6 +12,7 @@ SRC_URI += "file://ls1021aiot.dts \ | |||
12 | file://CVE-2016-6480.patch \ | 12 | file://CVE-2016-6480.patch \ |
13 | file://0001-CVE-2017-2636.patch \ | 13 | file://0001-CVE-2017-2636.patch \ |
14 | file://0002-CVE-2017-2636.patch \ | 14 | file://0002-CVE-2017-2636.patch \ |
15 | file://CVE-2016-10229.patch \ | ||
15 | " | 16 | " |
16 | 17 | ||
17 | # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch" | 18 | # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch" |