diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-08-10 13:40:41 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2016-08-17 14:21:38 +0200 |
commit | 199694783798776d8649271fa8fa2c611a536a00 (patch) | |
tree | 0e1d0153d22b33e64a84189c79911024dd45bd62 | |
parent | d7d85162fcb5ca8c1e201d89ae54b9099bf964a2 (diff) | |
download | meta-enea-bsp-ppc-199694783798776d8649271fa8fa2c611a536a00.tar.gz |
net-kernel: CVE-2015-8543
Fixes a NULL pointer dereference flaw in the Linux kernel's
network subsystem.
A local user could use this flaw to crash the system.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-8543
Reference to upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=0295617f822f630711f5af03316d3cbda6e737d4
Signen-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/net-CVE-2015-8543.patch | 142 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bbappend | 1 |
2 files changed, 143 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/net-CVE-2015-8543.patch b/recipes-kernel/linux/files/net-CVE-2015-8543.patch new file mode 100644 index 0000000..e9e567e --- /dev/null +++ b/recipes-kernel/linux/files/net-CVE-2015-8543.patch | |||
@@ -0,0 +1,142 @@ | |||
1 | From 0295617f822f630711f5af03316d3cbda6e737d4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hannes Frederic Sowa <hannes@stressinduktion.org> | ||
3 | Date: Mon, 14 Dec 2015 22:03:39 +0100 | ||
4 | Subject: net: add validation for the socket syscall protocol argument | ||
5 | |||
6 | [ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ] | ||
7 | |||
8 | 郭永刚 reported that one could simply crash the kernel as root by | ||
9 | using a simple program: | ||
10 | |||
11 | int socket_fd; | ||
12 | struct sockaddr_in addr; | ||
13 | addr.sin_port = 0; | ||
14 | addr.sin_addr.s_addr = INADDR_ANY; | ||
15 | addr.sin_family = 10; | ||
16 | |||
17 | socket_fd = socket(10,3,0x40000000); | ||
18 | connect(socket_fd , &addr,16); | ||
19 | |||
20 | AF_INET, AF_INET6 sockets actually only support 8-bit protocol | ||
21 | identifiers. inet_sock's skc_protocol field thus is sized accordingly, | ||
22 | thus larger protocol identifiers simply cut off the higher bits and | ||
23 | store a zero in the protocol fields. | ||
24 | |||
25 | This could lead to e.g. NULL function pointer because as a result of | ||
26 | the cut off inet_num is zero and we call down to inet_autobind, which | ||
27 | is NULL for raw sockets. | ||
28 | |||
29 | kernel: Call Trace: | ||
30 | kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70 | ||
31 | kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80 | ||
32 | kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110 | ||
33 | kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80 | ||
34 | kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200 | ||
35 | kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10 | ||
36 | kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89 | ||
37 | |||
38 | I found no particular commit which introduced this problem. | ||
39 | |||
40 | CVE: CVE-2015-8543 | ||
41 | Upstream-Status: Backport | ||
42 | |||
43 | Cc: Cong Wang <cwang@twopensource.com> | ||
44 | Reported-by: 郭永刚 <guoyonggang@360.cn> | ||
45 | Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> | ||
46 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
47 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
48 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
49 | --- | ||
50 | include/net/sock.h | 1 + | ||
51 | net/ax25/af_ax25.c | 3 +++ | ||
52 | net/decnet/af_decnet.c | 3 +++ | ||
53 | net/ipv4/af_inet.c | 3 +++ | ||
54 | net/ipv6/af_inet6.c | 3 +++ | ||
55 | net/irda/af_irda.c | 3 +++ | ||
56 | 6 files changed, 16 insertions(+) | ||
57 | |||
58 | diff --git a/include/net/sock.h b/include/net/sock.h | ||
59 | index 4d631bd..41d98f1 100644 | ||
60 | --- a/include/net/sock.h | ||
61 | +++ b/include/net/sock.h | ||
62 | @@ -358,6 +358,7 @@ struct sock { | ||
63 | sk_no_check : 2, | ||
64 | sk_userlocks : 4, | ||
65 | sk_protocol : 8, | ||
66 | +#define SK_PROTOCOL_MAX U8_MAX | ||
67 | sk_type : 16; | ||
68 | kmemcheck_bitfield_end(flags); | ||
69 | int sk_wmem_queued; | ||
70 | diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c | ||
71 | index 78c474f..c4ee710 100644 | ||
72 | --- a/net/ax25/af_ax25.c | ||
73 | +++ b/net/ax25/af_ax25.c | ||
74 | @@ -806,6 +806,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol, | ||
75 | struct sock *sk; | ||
76 | ax25_cb *ax25; | ||
77 | |||
78 | + if (protocol < 0 || protocol > SK_PROTOCOL_MAX) | ||
79 | + return -EINVAL; | ||
80 | + | ||
81 | if (!net_eq(net, &init_net)) | ||
82 | return -EAFNOSUPPORT; | ||
83 | |||
84 | diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c | ||
85 | index dd4d506..c030d5c 100644 | ||
86 | --- a/net/decnet/af_decnet.c | ||
87 | +++ b/net/decnet/af_decnet.c | ||
88 | @@ -677,6 +677,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol, | ||
89 | { | ||
90 | struct sock *sk; | ||
91 | |||
92 | + if (protocol < 0 || protocol > SK_PROTOCOL_MAX) | ||
93 | + return -EINVAL; | ||
94 | + | ||
95 | if (!net_eq(net, &init_net)) | ||
96 | return -EAFNOSUPPORT; | ||
97 | |||
98 | diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c | ||
99 | index cfeb85c..09f9c04 100644 | ||
100 | --- a/net/ipv4/af_inet.c | ||
101 | +++ b/net/ipv4/af_inet.c | ||
102 | @@ -288,6 +288,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol, | ||
103 | if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM) | ||
104 | build_ehash_secret(); | ||
105 | |||
106 | + if (protocol < 0 || protocol >= IPPROTO_MAX) | ||
107 | + return -EINVAL; | ||
108 | + | ||
109 | sock->state = SS_UNCONNECTED; | ||
110 | |||
111 | /* Look for the requested type/protocol pair. */ | ||
112 | diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c | ||
113 | index 98e09df..0747e14 100644 | ||
114 | --- a/net/ipv6/af_inet6.c | ||
115 | +++ b/net/ipv6/af_inet6.c | ||
116 | @@ -115,6 +115,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol, | ||
117 | !inet_ehash_secret) | ||
118 | build_ehash_secret(); | ||
119 | |||
120 | + if (protocol < 0 || protocol >= IPPROTO_MAX) | ||
121 | + return -EINVAL; | ||
122 | + | ||
123 | /* Look for the requested type/protocol pair. */ | ||
124 | lookup_protocol: | ||
125 | err = -ESOCKTNOSUPPORT; | ||
126 | diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c | ||
127 | index a5e62ef5..f8133ff 100644 | ||
128 | --- a/net/irda/af_irda.c | ||
129 | +++ b/net/irda/af_irda.c | ||
130 | @@ -1105,6 +1105,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol, | ||
131 | |||
132 | IRDA_DEBUG(2, "%s()\n", __func__); | ||
133 | |||
134 | + if (protocol < 0 || protocol > SK_PROTOCOL_MAX) | ||
135 | + return -EINVAL; | ||
136 | + | ||
137 | if (net != &init_net) | ||
138 | return -EAFNOSUPPORT; | ||
139 | |||
140 | -- | ||
141 | cgit v0.12 | ||
142 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index 09a3d77..cc83b93 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend | |||
@@ -3,5 +3,6 @@ require recipes-kernel/linux/linux-qoriq-common.inc | |||
3 | FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | 3 | FILESEXTRAPATHS_prepend := "${THISDIR}/files:" |
4 | 4 | ||
5 | SRC_URI += "file://ppp-CVE-2015-8569.patch \ | 5 | SRC_URI += "file://ppp-CVE-2015-8569.patch \ |
6 | file://net-CVE-2015-8543.patch \ | ||
6 | " | 7 | " |
7 | 8 | ||