diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-08-12 13:00:15 +0200 |
|---|---|---|
| committer | Martin Borg <martin.borg@enea.com> | 2016-08-17 14:21:47 +0200 |
| commit | 305d736d17d5ca3b13922158e9418ce5e67c2757 (patch) | |
| tree | 7337ea4972b3058dcef8f0833a477c8e12716042 | |
| parent | 199694783798776d8649271fa8fa2c611a536a00 (diff) | |
| download | meta-enea-bsp-ppc-305d736d17d5ca3b13922158e9418ce5e67c2757.tar.gz | |
net-kernel: CVE-2016-2070
Fixes a divide-by-zero vulnerability in a way the linux kernel processes
TCP connections. The error can occur if a connection starts another cwnd
reduction phase by setting tp->prior_cwnd to the current cwnd (0) in
tcp_init_cwnd_reduction().
A remote, unauthenticated attacker could use this flaw to crash the
kernel (denial of service).
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2070
Reference to upstream correction (backported from kernel.org 4.4 branch):
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=8b8a321ff72c785ed5e8b4cf6eda20b35d427390
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
| -rw-r--r-- | recipes-kernel/linux/files/net-CVE-2016-2070.patch | 67 | ||||
| -rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bbappend | 1 |
2 files changed, 68 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/net-CVE-2016-2070.patch b/recipes-kernel/linux/files/net-CVE-2016-2070.patch new file mode 100644 index 0000000..b0e1200 --- /dev/null +++ b/recipes-kernel/linux/files/net-CVE-2016-2070.patch | |||
| @@ -0,0 +1,67 @@ | |||
| 1 | From 8b8a321ff72c785ed5e8b4cf6eda20b35d427390 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Yuchung Cheng <ycheng@google.com> | ||
| 3 | Date: Wed, 6 Jan 2016 12:42:38 -0800 | ||
| 4 | Subject: tcp: fix zero cwnd in tcp_cwnd_reduction | ||
| 5 | |||
| 6 | Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode | ||
| 7 | conditionally") introduced a bug that cwnd may become 0 when both | ||
| 8 | inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead | ||
| 9 | to a div-by-zero if the connection starts another cwnd reduction | ||
| 10 | phase by setting tp->prior_cwnd to the current cwnd (0) in | ||
| 11 | tcp_init_cwnd_reduction(). | ||
| 12 | |||
| 13 | To prevent this we skip PRR operation when nothing is acked or | ||
| 14 | sacked. Then cwnd must be positive in all cases as long as ssthresh | ||
| 15 | is positive: | ||
| 16 | |||
| 17 | 1) The proportional reduction mode | ||
| 18 | inflight > ssthresh > 0 | ||
| 19 | |||
| 20 | 2) The reduction bound mode | ||
| 21 | a) inflight == ssthresh > 0 | ||
| 22 | |||
| 23 | b) inflight < ssthresh | ||
| 24 | sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh | ||
| 25 | |||
| 26 | Therefore in all cases inflight and sndcnt can not both be 0. | ||
| 27 | We check invalid tp->prior_cwnd to avoid potential div0 bugs. | ||
| 28 | |||
| 29 | In reality this bug is triggered only with a sequence of less common | ||
| 30 | events. For example, the connection is terminating an ECN-triggered | ||
| 31 | cwnd reduction with an inflight 0, then it receives reordered/old | ||
| 32 | ACKs or DSACKs from prior transmission (which acks nothing). Or the | ||
| 33 | connection is in fast recovery stage that marks everything lost, | ||
| 34 | but fails to retransmit due to local issues, then receives data | ||
| 35 | packets from other end which acks nothing. | ||
| 36 | |||
| 37 | CVE: CVE-2016-2070 | ||
| 38 | Upstream-Status: Backport | ||
| 39 | |||
| 40 | Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally") | ||
| 41 | Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name> | ||
| 42 | Signed-off-by: Yuchung Cheng <ycheng@google.com> | ||
| 43 | Signed-off-by: Neal Cardwell <ncardwell@google.com> | ||
| 44 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
| 45 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 46 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 47 | --- | ||
| 48 | net/ipv4/tcp_input.c | 3 +++ | ||
| 49 | 1 file changed, 3 insertions(+) | ||
| 50 | |||
| 51 | diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c | ||
| 52 | index 2d656ee..d4c5115 100644 | ||
| 53 | --- a/net/ipv4/tcp_input.c | ||
| 54 | +++ b/net/ipv4/tcp_input.c | ||
| 55 | @@ -2478,6 +2478,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked, | ||
| 56 | int newly_acked_sacked = prior_unsacked - | ||
| 57 | (tp->packets_out - tp->sacked_out); | ||
| 58 | |||
| 59 | + if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd)) | ||
| 60 | + return; | ||
| 61 | + | ||
| 62 | tp->prr_delivered += newly_acked_sacked; | ||
| 63 | if (delta < 0) { | ||
| 64 | u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered + | ||
| 65 | -- | ||
| 66 | cgit v0.12 | ||
| 67 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index cc83b93..0ed4489 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend | |||
| @@ -4,5 +4,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | |||
| 4 | 4 | ||
| 5 | SRC_URI += "file://ppp-CVE-2015-8569.patch \ | 5 | SRC_URI += "file://ppp-CVE-2015-8569.patch \ |
| 6 | file://net-CVE-2015-8543.patch \ | 6 | file://net-CVE-2015-8543.patch \ |
| 7 | file://net-CVE-2016-2070.patch \ | ||
| 7 | " | 8 | " |
| 8 | 9 | ||