diff options
Diffstat (limited to 'recipes-kernel')
-rw-r--r-- | recipes-kernel/linux/linux-ls1/net-CVE-2016-5696.patch | 98 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-ls1_3.12.bbappend | 1 |
2 files changed, 99 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ls1/net-CVE-2016-5696.patch b/recipes-kernel/linux/linux-ls1/net-CVE-2016-5696.patch new file mode 100644 index 0000000..3be480a --- /dev/null +++ b/recipes-kernel/linux/linux-ls1/net-CVE-2016-5696.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From: Eric Dumazet <edumazet@google.com> | ||
2 | Date: Sun, 10 Jul 2016 10:04:02 +0200 | ||
3 | Subject: [PATCH] tcp: make challenge acks less predictable | ||
4 | |||
5 | [ Upstream commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 ] | ||
6 | |||
7 | Yue Cao claims that current host rate limiting of challenge ACKS | ||
8 | (RFC 5961) could leak enough information to allow a patient attacker | ||
9 | to hijack TCP sessions. He will soon provide details in an academic | ||
10 | paper. | ||
11 | |||
12 | This patch increases the default limit from 100 to 1000, and adds | ||
13 | some randomization so that the attacker can no longer hijack | ||
14 | sessions without spending a considerable amount of probes. | ||
15 | |||
16 | Based on initial analysis and patch from Linus. | ||
17 | |||
18 | Note that we also have per socket rate limiting, so it is tempting | ||
19 | to remove the host limit in the future. | ||
20 | |||
21 | v2: randomize the count of challenge acks per second, not the period. | ||
22 | |||
23 | CVE: CVE-2016-5696 | ||
24 | Upstream-Status: Backport | ||
25 | [This patch was bakported from 3.14 branch, added "prandom_u32_max" in | ||
26 | "include/linux/random.h" since this was not implemented in 3.12 branch] | ||
27 | |||
28 | Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") | ||
29 | Reported-by: Yue Cao <ycao009@ucr.edu> | ||
30 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
31 | Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
32 | Cc: Yuchung Cheng <ycheng@google.com> | ||
33 | Cc: Neal Cardwell <ncardwell@google.com> | ||
34 | Acked-by: Neal Cardwell <ncardwell@google.com> | ||
35 | Acked-by: Yuchung Cheng <ycheng@google.com> | ||
36 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
37 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
38 | --- | ||
39 | diff -ruN a/include/linux/random.h b/include/linux/random.h | ||
40 | --- a/include/linux/random.h 2016-08-22 11:03:21.140946372 +0200 | ||
41 | +++ b/include/linux/random.h 2016-08-22 10:45:43.294241721 +0200 | ||
42 | @@ -33,6 +33,23 @@ | ||
43 | u32 prandom_u32_state(struct rnd_state *); | ||
44 | void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes); | ||
45 | |||
46 | +/** | ||
47 | + * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro) | ||
48 | + * @ep_ro: right open interval endpoint | ||
49 | + * | ||
50 | + * Returns a pseudo-random number that is in interval [0, ep_ro). Note | ||
51 | + * that the result depends on PRNG being well distributed in [0, ~0U] | ||
52 | + * u32 space. Here we use maximally equidistributed combined Tausworthe | ||
53 | + * generator, that is, prandom_u32(). This is useful when requesting a | ||
54 | + * random index of an array containing ep_ro elements, for example. | ||
55 | + * | ||
56 | + * Returns: pseudo-random number in interval [0, ep_ro) | ||
57 | + */ | ||
58 | +static inline u32 prandom_u32_max(u32 ep_ro) | ||
59 | +{ | ||
60 | + return (u32)(((u64) prandom_u32() * ep_ro) >> 32); | ||
61 | +} | ||
62 | + | ||
63 | /* | ||
64 | * Handle minimum values for seeds | ||
65 | */ | ||
66 | diff -ruN a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c | ||
67 | --- a/net/ipv4/tcp_input.c 2016-08-22 11:03:25.296627413 +0200 | ||
68 | +++ b/net/ipv4/tcp_input.c 2016-08-22 11:27:20.522438724 +0200 | ||
69 | @@ -87,7 +87,7 @@ | ||
70 | EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); | ||
71 | |||
72 | /* rfc5961 challenge ack rate limiting */ | ||
73 | -int sysctl_tcp_challenge_ack_limit = 100; | ||
74 | +int sysctl_tcp_challenge_ack_limit = 1000; | ||
75 | |||
76 | int sysctl_tcp_stdurg __read_mostly; | ||
77 | int sysctl_tcp_rfc1337 __read_mostly; | ||
78 | @@ -3245,12 +3245,18 @@ | ||
79 | static u32 challenge_timestamp; | ||
80 | static unsigned int challenge_count; | ||
81 | u32 now = jiffies / HZ; | ||
82 | + u32 count; | ||
83 | |||
84 | if (now != challenge_timestamp) { | ||
85 | + u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; | ||
86 | + | ||
87 | challenge_timestamp = now; | ||
88 | - challenge_count = 0; | ||
89 | + challenge_count = half + | ||
90 | + prandom_u32_max(sysctl_tcp_challenge_ack_limit); | ||
91 | } | ||
92 | - if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { | ||
93 | + count = challenge_count; | ||
94 | + if (count > 0) { | ||
95 | + challenge_count = count - 1; | ||
96 | NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); | ||
97 | tcp_send_ack(sk); | ||
98 | } | ||
diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend index 0214dda..b04933d 100644 --- a/recipes-kernel/linux/linux-ls1_3.12.bbappend +++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend | |||
@@ -6,6 +6,7 @@ SRC_URI += "file://ls1021aiot.dts \ | |||
6 | file://0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch \ | 6 | file://0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch \ |
7 | file://0002-watchdog-fix-errata-err004346.patch \ | 7 | file://0002-watchdog-fix-errata-err004346.patch \ |
8 | file://ppp-CVE-2015-8569.patch \ | 8 | file://ppp-CVE-2015-8569.patch \ |
9 | file://net-CVE-2016-5696.patch \ | ||
9 | " | 10 | " |
10 | 11 | ||
11 | # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch" | 12 | # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch" |