kernel: CVE-2016-10229krogoth

Reference: https://nvd.nist.gov/vuln/detail/CVE-2016-10229 Reference to upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v3.12.74&id=c3bfbecb1bb575278ce4812746a29c04875a2926 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-05-17 10:08:08 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-05-19 13:19:26 +0200
commit: 7fa63864b6a627b7406c181d93f1550aef2e67e5 (patch)
tree: f842cd5e27e03c59e246af0b466b51ba611d4839
parent: 736f356c04e93c253a674cf242898a8cdec5dd6a (diff)
download: meta-enea-bsp-ppc-krogoth.tar.gz
2 files changed, 102 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/CVE-2016-10229.patch b/recipes-kernel/linux/files/CVE-2016-10229.patch
new file mode 100644
index 0000000..287200c
--- /dev/null
+++ b/recipes-kernel/linux/files/CVE-2016-10229.patch
@@ -0,0 +1,101 @@
+From c3bfbecb1bb575278ce4812746a29c04875a2926 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 30 Dec 2015 08:51:12 -0500
+Subject: udp: properly support MSG_PEEK with truncated buffers
+commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 upstream.
+Backport of this upstream commit into stable kernels :
+89c22d8c3b27 ("net: Fix skb csum races when peeking")
+exposed a bug in udp stack vs MSG_PEEK support, when user provides
+a buffer smaller than skb payload.
+In this case,
+skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
+                                 msg->msg_iov);
+returns -EFAULT.
+This bug does not happen in upstream kernels since Al Viro did a great
+job to replace this into :
+skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
+This variant is safe vs short buffers.
+For the time being, instead reverting Herbert Xu patch and add back
+skb->ip_summed invalid changes, simply store the result of
+udp_lib_checksum_complete() so that we avoid computing the checksum a
+second time, and avoid the problematic
+skb_copy_and_csum_datagram_iovec() call.
+This patch can be applied on recent kernels as it avoids a double
+checksumming, then backported to stable kernels as a bug fix.
+CVE: CVE-2016-10229
+Upstream-Status: Backport
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/ipv4/udp.c | 6 ++++--
+ net/ipv6/udp.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 4908eaa..f8e3046 100644
+--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
+@@ -1210,6 +1210,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+        int peeked, off = 0;
+        int err;
+        int is_udplite = IS_UDPLITE(sk);
+       bool checksum_valid = false;
+        bool slow;
+ 
+        if (flags & MSG_ERRQUEUE)
+@@ -1235,11 +1236,12 @@ try_again:
+         */
+ 
+        if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
+-               if (udp_lib_checksum_complete(skb))
+               checksum_valid = !udp_lib_checksum_complete(skb);
+               if (!checksum_valid)
+                        goto csum_copy_err;
+        }
+ 
+-       if (skb_csum_unnecessary(skb))
+       if (checksum_valid || skb_csum_unnecessary(skb))
+                err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
+                                              msg->msg_iov, copied);
+        else {
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index a6c5ef5..94ca417 100644
+--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
+@@ -371,6 +371,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
+        int peeked, off = 0;
+        int err;
+        int is_udplite = IS_UDPLITE(sk);
+       bool checksum_valid = false;
+        int is_udp4;
+        bool slow;
+ 
+@@ -402,11 +403,12 @@ try_again:
+         */
+ 
+        if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
+-               if (udp_lib_checksum_complete(skb))
+               checksum_valid = !udp_lib_checksum_complete(skb);
+               if (!checksum_valid)
+                        goto csum_copy_err;
+        }
+ 
+-       if (skb_csum_unnecessary(skb))
+       if (checksum_valid || skb_csum_unnecessary(skb))
+                err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
+                                              msg->msg_iov, copied);
+        else {
+-- 
+cgit v1.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
index 6ecf1dd..f9ee5e6 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
@@ -14,5 +14,6 @@ SRC_URI += "file://ppp-CVE-2015-8569.patch \
            file://tmpfs-CVE-2017-5551.patch \
            file://0001-CVE-2017-2636.patch \
            file://0002-CVE-2017-2636.patch \
+            file://CVE-2016-10229.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-05-17 10:08:08 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-05-19 13:19:26 +0200
commit	7fa63864b6a627b7406c181d93f1550aef2e67e5 (patch)
tree	f842cd5e27e03c59e246af0b466b51ba611d4839
parent	736f356c04e93c253a674cf242898a8cdec5dd6a (diff)
download	meta-enea-bsp-ppc-krogoth.tar.gz

diff --git a/recipes-kernel/linux/files/CVE-2016-10229.patch b/recipes-kernel/linux/files/CVE-2016-10229.patch new file mode 100644 index 0000000..287200c --- /dev/null +++ b/recipes-kernel/linux/files/CVE-2016-10229.patch
@@ -0,0 +1,101 @@
		1	From c3bfbecb1bb575278ce4812746a29c04875a2926 Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Wed, 30 Dec 2015 08:51:12 -0500
		4	Subject: udp: properly support MSG_PEEK with truncated buffers
		5
		6	commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 upstream.
		7
		8	Backport of this upstream commit into stable kernels :
		9	89c22d8c3b27 ("net: Fix skb csum races when peeking")
		10	exposed a bug in udp stack vs MSG_PEEK support, when user provides
		11	a buffer smaller than skb payload.
		12
		13	In this case,
		14	skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
		15	msg->msg_iov);
		16	returns -EFAULT.
		17
		18	This bug does not happen in upstream kernels since Al Viro did a great
		19	job to replace this into :
		20	skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
		21	This variant is safe vs short buffers.
		22
		23	For the time being, instead reverting Herbert Xu patch and add back
		24	skb->ip_summed invalid changes, simply store the result of
		25	udp_lib_checksum_complete() so that we avoid computing the checksum a
		26	second time, and avoid the problematic
		27	skb_copy_and_csum_datagram_iovec() call.
		28
		29	This patch can be applied on recent kernels as it avoids a double
		30	checksumming, then backported to stable kernels as a bug fix.
		31
		32	CVE: CVE-2016-10229
		33	Upstream-Status: Backport
		34
		35	Signed-off-by: Eric Dumazet <edumazet@google.com>
		36	Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
		37	Signed-off-by: David S. Miller <davem@davemloft.net>
		38	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		39	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		40	---
		41	net/ipv4/udp.c \| 6 ++++--
		42	net/ipv6/udp.c \| 6 ++++--
		43	2 files changed, 8 insertions(+), 4 deletions(-)
		44
		45	diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
		46	index 4908eaa..f8e3046 100644
		47	--- a/net/ipv4/udp.c
		48	+++ b/net/ipv4/udp.c
		49	@@ -1210,6 +1210,7 @@ int udp_recvmsg(struct kiocb iocb, struct sock sk, struct msghdr *msg,
		50	int peeked, off = 0;
		51	int err;
		52	int is_udplite = IS_UDPLITE(sk);
		53	+ bool checksum_valid = false;
		54	bool slow;
		55
		56	if (flags & MSG_ERRQUEUE)
		57	@@ -1235,11 +1236,12 @@ try_again:
		58	*/
		59
		60	if (copied < ulen \|\| UDP_SKB_CB(skb)->partial_cov) {
		61	- if (udp_lib_checksum_complete(skb))
		62	+ checksum_valid = !udp_lib_checksum_complete(skb);
		63	+ if (!checksum_valid)
		64	goto csum_copy_err;
		65	}
		66
		67	- if (skb_csum_unnecessary(skb))
		68	+ if (checksum_valid \|\| skb_csum_unnecessary(skb))
		69	err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
		70	msg->msg_iov, copied);
		71	else {
		72	diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
		73	index a6c5ef5..94ca417 100644
		74	--- a/net/ipv6/udp.c
		75	+++ b/net/ipv6/udp.c
		76	@@ -371,6 +371,7 @@ int udpv6_recvmsg(struct kiocb iocb, struct sock sk,
		77	int peeked, off = 0;
		78	int err;
		79	int is_udplite = IS_UDPLITE(sk);
		80	+ bool checksum_valid = false;
		81	int is_udp4;
		82	bool slow;
		83
		84	@@ -402,11 +403,12 @@ try_again:
		85	*/
		86
		87	if (copied < ulen \|\| UDP_SKB_CB(skb)->partial_cov) {
		88	- if (udp_lib_checksum_complete(skb))
		89	+ checksum_valid = !udp_lib_checksum_complete(skb);
		90	+ if (!checksum_valid)
		91	goto csum_copy_err;
		92	}
		93
		94	- if (skb_csum_unnecessary(skb))
		95	+ if (checksum_valid \|\| skb_csum_unnecessary(skb))
		96	err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
		97	msg->msg_iov, copied);
		98	else {
		99	--
		100	cgit v1.1
		101


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index 6ecf1dd..f9ee5e6 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
@@ -14,5 +14,6 @@ SRC_URI += "file://ppp-CVE-2015-8569.patch \
14	file://tmpfs-CVE-2017-5551.patch \	14	file://tmpfs-CVE-2017-5551.patch \
15	file://0001-CVE-2017-2636.patch \	15	file://0001-CVE-2017-2636.patch \
16	file://0002-CVE-2017-2636.patch \	16	file://0002-CVE-2017-2636.patch \
		17	file://CVE-2016-10229.patch \
17	"	18	"
18		19