diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-08-12 13:00:15 +0200 |
---|---|---|
committer | Martin Borg <martin.borg@enea.com> | 2016-08-17 14:21:47 +0200 |
commit | 305d736d17d5ca3b13922158e9418ce5e67c2757 (patch) | |
tree | 7337ea4972b3058dcef8f0833a477c8e12716042 | |
parent | 199694783798776d8649271fa8fa2c611a536a00 (diff) | |
download | meta-enea-bsp-ppc-305d736d17d5ca3b13922158e9418ce5e67c2757.tar.gz |
net-kernel: CVE-2016-2070
Fixes a divide-by-zero vulnerability in a way the linux kernel processes
TCP connections. The error can occur if a connection starts another cwnd
reduction phase by setting tp->prior_cwnd to the current cwnd (0) in
tcp_init_cwnd_reduction().
A remote, unauthenticated attacker could use this flaw to crash the
kernel (denial of service).
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2070
Reference to upstream correction (backported from kernel.org 4.4 branch):
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch/?id=8b8a321ff72c785ed5e8b4cf6eda20b35d427390
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Martin Borg <martin.borg@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/net-CVE-2016-2070.patch | 67 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bbappend | 1 |
2 files changed, 68 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/net-CVE-2016-2070.patch b/recipes-kernel/linux/files/net-CVE-2016-2070.patch new file mode 100644 index 0000000..b0e1200 --- /dev/null +++ b/recipes-kernel/linux/files/net-CVE-2016-2070.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 8b8a321ff72c785ed5e8b4cf6eda20b35d427390 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yuchung Cheng <ycheng@google.com> | ||
3 | Date: Wed, 6 Jan 2016 12:42:38 -0800 | ||
4 | Subject: tcp: fix zero cwnd in tcp_cwnd_reduction | ||
5 | |||
6 | Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode | ||
7 | conditionally") introduced a bug that cwnd may become 0 when both | ||
8 | inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead | ||
9 | to a div-by-zero if the connection starts another cwnd reduction | ||
10 | phase by setting tp->prior_cwnd to the current cwnd (0) in | ||
11 | tcp_init_cwnd_reduction(). | ||
12 | |||
13 | To prevent this we skip PRR operation when nothing is acked or | ||
14 | sacked. Then cwnd must be positive in all cases as long as ssthresh | ||
15 | is positive: | ||
16 | |||
17 | 1) The proportional reduction mode | ||
18 | inflight > ssthresh > 0 | ||
19 | |||
20 | 2) The reduction bound mode | ||
21 | a) inflight == ssthresh > 0 | ||
22 | |||
23 | b) inflight < ssthresh | ||
24 | sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh | ||
25 | |||
26 | Therefore in all cases inflight and sndcnt can not both be 0. | ||
27 | We check invalid tp->prior_cwnd to avoid potential div0 bugs. | ||
28 | |||
29 | In reality this bug is triggered only with a sequence of less common | ||
30 | events. For example, the connection is terminating an ECN-triggered | ||
31 | cwnd reduction with an inflight 0, then it receives reordered/old | ||
32 | ACKs or DSACKs from prior transmission (which acks nothing). Or the | ||
33 | connection is in fast recovery stage that marks everything lost, | ||
34 | but fails to retransmit due to local issues, then receives data | ||
35 | packets from other end which acks nothing. | ||
36 | |||
37 | CVE: CVE-2016-2070 | ||
38 | Upstream-Status: Backport | ||
39 | |||
40 | Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally") | ||
41 | Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name> | ||
42 | Signed-off-by: Yuchung Cheng <ycheng@google.com> | ||
43 | Signed-off-by: Neal Cardwell <ncardwell@google.com> | ||
44 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
45 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
46 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
47 | --- | ||
48 | net/ipv4/tcp_input.c | 3 +++ | ||
49 | 1 file changed, 3 insertions(+) | ||
50 | |||
51 | diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c | ||
52 | index 2d656ee..d4c5115 100644 | ||
53 | --- a/net/ipv4/tcp_input.c | ||
54 | +++ b/net/ipv4/tcp_input.c | ||
55 | @@ -2478,6 +2478,9 @@ static void tcp_cwnd_reduction(struct sock *sk, const int prior_unsacked, | ||
56 | int newly_acked_sacked = prior_unsacked - | ||
57 | (tp->packets_out - tp->sacked_out); | ||
58 | |||
59 | + if (newly_acked_sacked <= 0 || WARN_ON_ONCE(!tp->prior_cwnd)) | ||
60 | + return; | ||
61 | + | ||
62 | tp->prr_delivered += newly_acked_sacked; | ||
63 | if (delta < 0) { | ||
64 | u64 dividend = (u64)tp->snd_ssthresh * tp->prr_delivered + | ||
65 | -- | ||
66 | cgit v0.12 | ||
67 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bbappend b/recipes-kernel/linux/linux-qoriq_3.12.bbappend index cc83b93..0ed4489 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bbappend +++ b/recipes-kernel/linux/linux-qoriq_3.12.bbappend | |||
@@ -4,5 +4,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | |||
4 | 4 | ||
5 | SRC_URI += "file://ppp-CVE-2015-8569.patch \ | 5 | SRC_URI += "file://ppp-CVE-2015-8569.patch \ |
6 | file://net-CVE-2015-8543.patch \ | 6 | file://net-CVE-2015-8543.patch \ |
7 | file://net-CVE-2016-2070.patch \ | ||
7 | " | 8 | " |
8 | 9 | ||