From e91902d91a4334b2cfbfd299fcb798c5e68da8af Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 29 Sep 2017 15:05:11 +0200 Subject: linux-cavium: CVE-2017-6345 llc: skb->sk set without skb->destructor Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-6345 Signed-off-by: Sona Sarmadi Signed-off-by: Martin Borg --- .../linux/linux-cavium/CVE-2017-6345.patch | 65 ++++++++++++++++++++++ recipes-kernel/linux/linux-cavium_4.9.inc | 1 + 2 files changed, 66 insertions(+) create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch (limited to 'recipes-kernel') diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch new file mode 100644 index 0000000..b0ac548 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-6345.patch @@ -0,0 +1,65 @@ +From 42b52783a59cc706c71cdc7096edce4a6f086fd3 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sun, 12 Feb 2017 14:03:52 -0800 +Subject: [PATCH] net/llc: avoid BUG_ON() in skb_orphan() + +[ Upstream commit 8b74d439e1697110c5e5c600643e823eb1dd0762 ] + +It seems nobody used LLC since linux-3.12. + +Fortunately fuzzers like syzkaller still know how to run this code, +otherwise it would be no fun. + +Setting skb->sk without skb->destructor leads to all kinds of +bugs, we now prefer to be very strict about it. + +Ideally here we would use skb_set_owner() but this helper does not exist yet, +only CAN seems to have a private helper for that. + +CVE: CVE-2017-6345 +Upstream-Status: Backport [from kernel.org longterm 4.9.52] + +Fixes: 376c7311bdb6 ("net: add a temporary sanity check in skb_orphan()") +Signed-off-by: Eric Dumazet +Reported-by: Andrey Konovalov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + net/llc/llc_conn.c | 3 +++ + net/llc/llc_sap.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c +index 3e821da..8bc5a1b 100644 +--- a/net/llc/llc_conn.c ++++ b/net/llc/llc_conn.c +@@ -821,7 +821,10 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb) + * another trick required to cope with how the PROCOM state + * machine works. -acme + */ ++ skb_orphan(skb); ++ sock_hold(sk); + skb->sk = sk; ++ skb->destructor = sock_efree; + } + if (!sock_owned_by_user(sk)) + llc_conn_rcv(sk, skb); +diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c +index d0e1e80..5404d0d 100644 +--- a/net/llc/llc_sap.c ++++ b/net/llc/llc_sap.c +@@ -290,7 +290,10 @@ static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb, + + ev->type = LLC_SAP_EV_TYPE_PDU; + ev->reason = 0; ++ skb_orphan(skb); ++ sock_hold(sk); + skb->sk = sk; ++ skb->destructor = sock_efree; + llc_sap_state_process(sap, skb); + } + +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index 67488ba..c6959ab 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc @@ -23,6 +23,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi file://CVE-2017-5970.patch \ file://CVE-2017-5986.patch \ file://CVE-2017-6214.patch \ + file://CVE-2017-6345.patch \ file://CVE-2017-7487.patch \ file://CVE-2017-7618.patch \ file://CVE-2017-7645.patch \ -- cgit v1.2.3-54-g00ecf