1 files changed, 65 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch
new file mode 100644
index 0000000..b0ac548
--- /dev/null
+++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch
@@ -0,0 +1,65 @@
+From 42b52783a59cc706c71cdc7096edce4a6f086fd3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 12 Feb 2017 14:03:52 -0800
+Subject: [PATCH] net/llc: avoid BUG_ON() in skb_orphan()
+[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ]
+It seems nobody used LLC since linux-3.12.
+Fortunately fuzzers like syzkaller still know how to run this code,
+otherwise it would be no fun.
+Setting skb->sk without skb->destructor leads to all kinds of
+bugs, we now prefer to be very strict about it.
+Ideally here we would use skb_set_owner() but this helper does not exist yet,
+only CAN seems to have a private helper for that.
+CVE: CVE-2017-6345
+Upstream-Status: Backport [from kernel.org longterm 4.9.52]
+Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/llc/llc_conn.c | 3 +++
+ net/llc/llc_sap.c  | 3 +++
+ 2 files changed, 6 insertions(+)
+diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
+index 3e821da..8bc5a1b 100644
+--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
+@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb)
+                 * another trick required to cope with how the PROCOM state
+                 * machine works. -acme
+                 */
+               skb_orphan(skb);
+               sock_hold(sk);
+                skb->sk = sk;
+               skb->destructor = sock_efree;
+        }
+        if (!sock_owned_by_user(sk))
+                llc_conn_rcv(sk, skb);
+diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
+index d0e1e80..5404d0d 100644
+--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
+@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb,
+ 
+        ev->type   = LLC_SAP_EV_TYPE_PDU;
+        ev->reason = 0;
+       skb_orphan(skb);
+       sock_hold(sk);
+        skb->sk = sk;
+       skb->destructor = sock_efree;
+        llc_sap_state_process(sap, skb);
+ }
+ 
+-- 
+1.9.1

diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch new file mode 100644 index 0000000..b0ac548 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch
@@ -0,0 +1,65 @@
	1	From 42b52783a59cc706c71cdc7096edce4a6f086fd3 Mon Sep 17 00:00:00 2001
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Sun, 12 Feb 2017 14:03:52 -0800
	4	Subject: [PATCH] net/llc: avoid BUG_ON() in skb_orphan()
	5
	6	[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ]
	7
	8	It seems nobody used LLC since linux-3.12.
	9
	10	Fortunately fuzzers like syzkaller still know how to run this code,
	11	otherwise it would be no fun.
	12
	13	Setting skb->sk without skb->destructor leads to all kinds of
	14	bugs, we now prefer to be very strict about it.
	15
	16	Ideally here we would use skb_set_owner() but this helper does not exist yet,
	17	only CAN seems to have a private helper for that.
	18
	19	CVE: CVE-2017-6345
	20	Upstream-Status: Backport [from kernel.org longterm 4.9.52]
	21
	22	Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()")
	23	Signed-off-by: Eric Dumazet <edumazet@google.com>
	24	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	25	Signed-off-by: David S. Miller <davem@davemloft.net>
	26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	27	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	28	---
	29	net/llc/llc_conn.c \| 3 +++
	30	net/llc/llc_sap.c \| 3 +++
	31	2 files changed, 6 insertions(+)
	32
	33	diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
	34	index 3e821da..8bc5a1b 100644
	35	--- a/net/llc/llc_conn.c
	36	+++ b/net/llc/llc_conn.c
	37	@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap sap, struct sk_buff skb)
	38	* another trick required to cope with how the PROCOM state
	39	* machine works. -acme
	40	*/
	41	+ skb_orphan(skb);
	42	+ sock_hold(sk);
	43	skb->sk = sk;
	44	+ skb->destructor = sock_efree;
	45	}
	46	if (!sock_owned_by_user(sk))
	47	llc_conn_rcv(sk, skb);
	48	diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
	49	index d0e1e80..5404d0d 100644
	50	--- a/net/llc/llc_sap.c
	51	+++ b/net/llc/llc_sap.c
	52	@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap sap, struct sk_buff skb,
	53
	54	ev->type = LLC_SAP_EV_TYPE_PDU;
	55	ev->reason = 0;
	56	+ skb_orphan(skb);
	57	+ sock_hold(sk);
	58	skb->sk = sk;
	59	+ skb->destructor = sock_efree;
	60	llc_sap_state_process(sap, skb);
	61	}
	62
	63	--
	64	1.9.1
	65