net-kernel: CVE-2015-8543

Fixes a NULL pointer dereference flaw in the Linux kernel's network subsystem. A local user could use this flaw to crash the system. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8543 Reference to upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=0295617f822f630711f5af03316d3cbda6e737d4 Signen-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-08-10 13:40:41 +0200
committer: Martin Borg <martin.borg@enea.com> 2016-08-17 14:21:38 +0200
commit: 199694783798776d8649271fa8fa2c611a536a00 (patch)
tree: 0e1d0153d22b33e64a84189c79911024dd45bd62
parent: d7d85162fcb5ca8c1e201d89ae54b9099bf964a2 (diff)
download: meta-enea-bsp-ppc-199694783798776d8649271fa8fa2c611a536a00.tar.gz
2 files changed, 143 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/net-CVE-2015-8543.patch b/recipes-kernel/linux/files/net-CVE-2015-8543.patch
new file mode 100644
index 0000000..e9e567e
--- /dev/null
+++ b/recipes-kernel/linux/files/net-CVE-2015-8543.patch
@@ -0,0 +1,142 @@
+From 0295617f822f630711f5af03316d3cbda6e737d4 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon, 14 Dec 2015 22:03:39 +0100
+Subject: net: add validation for the socket syscall protocol argument
+[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ]
+郭永刚 reported that one could simply crash the kernel as root by
+using a simple program:
+        int socket_fd;
+        struct sockaddr_in addr;
+        addr.sin_port = 0;
+        addr.sin_addr.s_addr = INADDR_ANY;
+        addr.sin_family = 10;
+        socket_fd = socket(10,3,0x40000000);
+        connect(socket_fd , &addr,16);
+AF_INET, AF_INET6 sockets actually only support 8-bit protocol
+identifiers. inet_sock's skc_protocol field thus is sized accordingly,
+thus larger protocol identifiers simply cut off the higher bits and
+store a zero in the protocol fields.
+This could lead to e.g. NULL function pointer because as a result of
+the cut off inet_num is zero and we call down to inet_autobind, which
+is NULL for raw sockets.
+kernel: Call Trace:
+kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
+kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
+kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
+kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
+kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
+kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
+kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89
+I found no particular commit which introduced this problem.
+CVE: CVE-2015-8543
+Upstream-Status: Backport
+Cc: Cong Wang <cwang@twopensource.com>
+Reported-by: 郭永刚 <guoyonggang@360.cn>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ include/net/sock.h     | 1 +
+ net/ax25/af_ax25.c     | 3 +++
+ net/decnet/af_decnet.c | 3 +++
+ net/ipv4/af_inet.c     | 3 +++
+ net/ipv6/af_inet6.c    | 3 +++
+ net/irda/af_irda.c     | 3 +++
+ 6 files changed, 16 insertions(+)
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 4d631bd..41d98f1 100644
+--- a/include/net/sock.h
+++ b/include/net/sock.h
+@@ -358,6 +358,7 @@ struct sock {
+                                sk_no_check  : 2,
+                                sk_userlocks : 4,
+                                sk_protocol  : 8,
+#define SK_PROTOCOL_MAX U8_MAX
+                                sk_type      : 16;
+        kmemcheck_bitfield_end(flags);
+        int                     sk_wmem_queued;
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 78c474f..c4ee710 100644
+--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
+@@ -806,6 +806,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
+        struct sock *sk;
+        ax25_cb *ax25;
+ 
+       if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+               return -EINVAL;
+
+        if (!net_eq(net, &init_net))
+                return -EAFNOSUPPORT;
+ 
+diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
+index dd4d506..c030d5c 100644
+--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
+@@ -677,6 +677,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
+ {
+        struct sock *sk;
+ 
+       if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+               return -EINVAL;
+
+        if (!net_eq(net, &init_net))
+                return -EAFNOSUPPORT;
+ 
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index cfeb85c..09f9c04 100644
+--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
+@@ -288,6 +288,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
+                if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
+                        build_ehash_secret();
+ 
+       if (protocol < 0 || protocol >= IPPROTO_MAX)
+               return -EINVAL;
+
+        sock->state = SS_UNCONNECTED;
+ 
+        /* Look for the requested type/protocol pair. */
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 98e09df..0747e14 100644
+--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
+@@ -115,6 +115,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
+            !inet_ehash_secret)
+                build_ehash_secret();
+ 
+       if (protocol < 0 || protocol >= IPPROTO_MAX)
+               return -EINVAL;
+
+        /* Look for the requested type/protocol pair. */
+ lookup_protocol:
+        err = -ESOCKTNOSUPPORT;
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index a5e62ef5..f8133ff 100644
+--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
+@@ -1105,6 +1105,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
+ 
+        IRDA_DEBUG(2, "%s()\n", __func__);
+ 
+       if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+               return -EINVAL;
+
+        if (net != &init_net)
+                return -EAFNOSUPPORT;
+ 
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
index 09a3d77..cc83b93 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
@@ -3,5 +3,6 @@ require recipes-kernel/linux/linux-qoriq-common.inc
 FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 SRC_URI += "file://ppp-CVE-2015-8569.patch \
+            file://net-CVE-2015-8543.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-08-10 13:40:41 +0200
committer	Martin Borg <martin.borg@enea.com>	2016-08-17 14:21:38 +0200
commit	199694783798776d8649271fa8fa2c611a536a00 (patch)
tree	0e1d0153d22b33e64a84189c79911024dd45bd62
parent	d7d85162fcb5ca8c1e201d89ae54b9099bf964a2 (diff)
download	meta-enea-bsp-ppc-199694783798776d8649271fa8fa2c611a536a00.tar.gz

diff --git a/recipes-kernel/linux/files/net-CVE-2015-8543.patch b/recipes-kernel/linux/files/net-CVE-2015-8543.patch new file mode 100644 index 0000000..e9e567e --- /dev/null +++ b/recipes-kernel/linux/files/net-CVE-2015-8543.patch
@@ -0,0 +1,142 @@
		1	From 0295617f822f630711f5af03316d3cbda6e737d4 Mon Sep 17 00:00:00 2001
		2	From: Hannes Frederic Sowa <hannes@stressinduktion.org>
		3	Date: Mon, 14 Dec 2015 22:03:39 +0100
		4	Subject: net: add validation for the socket syscall protocol argument
		5
		6	[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ]
		7
		8	郭永刚 reported that one could simply crash the kernel as root by
		9	using a simple program:
		10
		11	int socket_fd;
		12	struct sockaddr_in addr;
		13	addr.sin_port = 0;
		14	addr.sin_addr.s_addr = INADDR_ANY;
		15	addr.sin_family = 10;
		16
		17	socket_fd = socket(10,3,0x40000000);
		18	connect(socket_fd , &addr,16);
		19
		20	AF_INET, AF_INET6 sockets actually only support 8-bit protocol
		21	identifiers. inet_sock's skc_protocol field thus is sized accordingly,
		22	thus larger protocol identifiers simply cut off the higher bits and
		23	store a zero in the protocol fields.
		24
		25	This could lead to e.g. NULL function pointer because as a result of
		26	the cut off inet_num is zero and we call down to inet_autobind, which
		27	is NULL for raw sockets.
		28
		29	kernel: Call Trace:
		30	kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
		31	kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
		32	kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
		33	kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
		34	kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
		35	kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
		36	kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
		37
		38	I found no particular commit which introduced this problem.
		39
		40	CVE: CVE-2015-8543
		41	Upstream-Status: Backport
		42
		43	Cc: Cong Wang <cwang@twopensource.com>
		44	Reported-by: 郭永刚 <guoyonggang@360.cn>
		45	Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
		46	Signed-off-by: David S. Miller <davem@davemloft.net>
		47	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		48	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		49	---
		50	include/net/sock.h \| 1 +
		51	net/ax25/af_ax25.c \| 3 +++
		52	net/decnet/af_decnet.c \| 3 +++
		53	net/ipv4/af_inet.c \| 3 +++
		54	net/ipv6/af_inet6.c \| 3 +++
		55	net/irda/af_irda.c \| 3 +++
		56	6 files changed, 16 insertions(+)
		57
		58	diff --git a/include/net/sock.h b/include/net/sock.h
		59	index 4d631bd..41d98f1 100644
		60	--- a/include/net/sock.h
		61	+++ b/include/net/sock.h
		62	@@ -358,6 +358,7 @@ struct sock {
		63	sk_no_check : 2,
		64	sk_userlocks : 4,
		65	sk_protocol : 8,
		66	+#define SK_PROTOCOL_MAX U8_MAX
		67	sk_type : 16;
		68	kmemcheck_bitfield_end(flags);
		69	int sk_wmem_queued;
		70	diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
		71	index 78c474f..c4ee710 100644
		72	--- a/net/ax25/af_ax25.c
		73	+++ b/net/ax25/af_ax25.c
		74	@@ -806,6 +806,9 @@ static int ax25_create(struct net net, struct socket sock, int protocol,
		75	struct sock *sk;
		76	ax25_cb *ax25;
		77
		78	+ if (protocol < 0 \|\| protocol > SK_PROTOCOL_MAX)
		79	+ return -EINVAL;
		80	+
		81	if (!net_eq(net, &init_net))
		82	return -EAFNOSUPPORT;
		83
		84	diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
		85	index dd4d506..c030d5c 100644
		86	--- a/net/decnet/af_decnet.c
		87	+++ b/net/decnet/af_decnet.c
		88	@@ -677,6 +677,9 @@ static int dn_create(struct net net, struct socket sock, int protocol,
		89	{
		90	struct sock *sk;
		91
		92	+ if (protocol < 0 \|\| protocol > SK_PROTOCOL_MAX)
		93	+ return -EINVAL;
		94	+
		95	if (!net_eq(net, &init_net))
		96	return -EAFNOSUPPORT;
		97
		98	diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
		99	index cfeb85c..09f9c04 100644
		100	--- a/net/ipv4/af_inet.c
		101	+++ b/net/ipv4/af_inet.c
		102	@@ -288,6 +288,9 @@ static int inet_create(struct net net, struct socket sock, int protocol,
		103	if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
		104	build_ehash_secret();
		105
		106	+ if (protocol < 0 \|\| protocol >= IPPROTO_MAX)
		107	+ return -EINVAL;
		108	+
		109	sock->state = SS_UNCONNECTED;
		110
		111	/* Look for the requested type/protocol pair. */
		112	diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
		113	index 98e09df..0747e14 100644
		114	--- a/net/ipv6/af_inet6.c
		115	+++ b/net/ipv6/af_inet6.c
		116	@@ -115,6 +115,9 @@ static int inet6_create(struct net net, struct socket sock, int protocol,
		117	!inet_ehash_secret)
		118	build_ehash_secret();
		119
		120	+ if (protocol < 0 \|\| protocol >= IPPROTO_MAX)
		121	+ return -EINVAL;
		122	+
		123	/* Look for the requested type/protocol pair. */
		124	lookup_protocol:
		125	err = -ESOCKTNOSUPPORT;
		126	diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
		127	index a5e62ef5..f8133ff 100644
		128	--- a/net/irda/af_irda.c
		129	+++ b/net/irda/af_irda.c
		130	@@ -1105,6 +1105,9 @@ static int irda_create(struct net net, struct socket sock, int protocol,
		131
		132	IRDA_DEBUG(2, "%s()\n", __func__);
		133
		134	+ if (protocol < 0 \|\| protocol > SK_PROTOCOL_MAX)
		135	+ return -EINVAL;
		136	+
		137	if (net != &init_net)
		138	return -EAFNOSUPPORT;
		139
		140	--
		141	cgit v0.12
		142


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index 09a3d77..cc83b93 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend
@@ -3,5 +3,6 @@ require recipes-kernel/linux/linux-qoriq-common.inc
3	FILESEXTRAPATHS_prepend := "${THISDIR}/files:"	3	FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
4		4
5	SRC_URI += "file://ppp-CVE-2015-8569.patch \	5	SRC_URI += "file://ppp-CVE-2015-8569.patch \
		6	file://net-CVE-2015-8543.patch \
6	"	7	"
7		8