netfilter: CVE-2014-8160

Fixes a flaw in the Linux kernel's netfilter subsystem. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8160 Upstrem fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=efbf300ed821a533c3af71b1b122227febc28142 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-01-08 15:05:54 +0100
committer: Paul Vaduva <Paul.Vaduva@enea.com> 2016-01-11 12:43:54 +0100
commit: 297be792a99a2ffdb13871f07bfb35eef6febdf2 (patch)
tree: dd6cf9b752ba958de00e2bee7b4c2f043eb22d0e
parent: 1ab831fc573b2a6db71d41fe0f0e47b643cbc863 (diff)
download: meta-enea-297be792a99a2ffdb13871f07bfb35eef6febdf2.tar.gz
2 files changed, 99 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/netfilter-CVE-2014-8160-3.14-kernel.patch b/recipes-kernel/linux/files/netfilter-CVE-2014-8160-3.14-kernel.patch
new file mode 100644
index 0000000..9e56598
--- /dev/null
+++ b/recipes-kernel/linux/files/netfilter-CVE-2014-8160-3.14-kernel.patch
@@ -0,0 +1,98 @@
+From efbf300ed821a533c3af71b1b122227febc28142 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 26 Sep 2014 11:35:42 +0200
+Subject: netfilter: conntrack: disable generic tracking for known protocols
+commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream.
+Given following iptables ruleset:
+-P FORWARD DROP
+-A FORWARD -m sctp --dport 9 -j ACCEPT
+-A FORWARD -p tcp --dport 80 -j ACCEPT
+-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
+One would assume that this allows SCTP on port 9 and TCP on port 80.
+Unfortunately, if the SCTP conntrack module is not loaded, this allows
+*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
+which we think is a security issue.
+This is because on the first SCTP packet on port 9, we create a dummy
+"generic l4" conntrack entry without any port information (since
+conntrack doesn't know how to extract this information).
+All subsequent packets that are unknown will then be in established
+state since they will fallback to proto_generic and will match the
+'generic' entry.
+Our originally proposed version [1] completely disabled generic protocol
+tracking, but Jozsef suggests to not track protocols for which a more
+suitable helper is available, hence we now mitigate the issue for in
+tree known ct protocol helpers only, so that at least NAT and direction
+information will still be preserved for others.
+ [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
+Joint work with Daniel Borkmann.
+Fixes CVE-2014-8160.
+Upstream-Status: Backport
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
+index d25f293..957c1db 100644
+--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
+@@ -14,6 +14,30 @@
+ 
+ static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
+ 
+static bool nf_generic_should_process(u8 proto)
+{
+       switch (proto) {
+#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
+       case IPPROTO_SCTP:
+               return false;
+#endif
+#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
+       case IPPROTO_DCCP:
+               return false;
+#endif
+#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
+       case IPPROTO_GRE:
+               return false;
+#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
+       case IPPROTO_UDPLITE:
+               return false;
+#endif
+       default:
+               return true;
+       }
+}
+
+ static inline struct nf_generic_net *generic_pernet(struct net *net)
+ {
+        return &net->ct.nf_ct_proto.generic;
+@@ -67,7 +91,7 @@ static int generic_packet(struct nf_conn *ct,
+ static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb,
+                        unsigned int dataoff, unsigned int *timeouts)
+ {
+-       return true;
+       return nf_generic_should_process(nf_ct_protonum(ct));
+ }
+ 
+ #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+-- 
+cgit v0.11.2
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 0f6b5f1..b7933d1 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -2,6 +2,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \
            file://splice-CVE-2014-7822-3.14-kernel.patch \
+            file://netfilter-CVE-2014-8160-3.14-kernel.patch \
            file://keys-CVE-2015-1333.patch \
            file://udp_fix_behavior_of_wrong_checksums.patch \
            file://net-CVE-2015-2041.patch \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-01-08 15:05:54 +0100
committer	Paul Vaduva <Paul.Vaduva@enea.com>	2016-01-11 12:43:54 +0100
commit	297be792a99a2ffdb13871f07bfb35eef6febdf2 (patch)
tree	dd6cf9b752ba958de00e2bee7b4c2f043eb22d0e
parent	1ab831fc573b2a6db71d41fe0f0e47b643cbc863 (diff)
download	meta-enea-297be792a99a2ffdb13871f07bfb35eef6febdf2.tar.gz

diff --git a/recipes-kernel/linux/files/netfilter-CVE-2014-8160-3.14-kernel.patch b/recipes-kernel/linux/files/netfilter-CVE-2014-8160-3.14-kernel.patch new file mode 100644 index 0000000..9e56598 --- /dev/null +++ b/recipes-kernel/linux/files/netfilter-CVE-2014-8160-3.14-kernel.patch
@@ -0,0 +1,98 @@
		1	From efbf300ed821a533c3af71b1b122227febc28142 Mon Sep 17 00:00:00 2001
		2	From: Florian Westphal <fw@strlen.de>
		3	Date: Fri, 26 Sep 2014 11:35:42 +0200
		4	Subject: netfilter: conntrack: disable generic tracking for known protocols
		5
		6	commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream.
		7
		8	Given following iptables ruleset:
		9
		10	-P FORWARD DROP
		11	-A FORWARD -m sctp --dport 9 -j ACCEPT
		12	-A FORWARD -p tcp --dport 80 -j ACCEPT
		13	-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
		14
		15	One would assume that this allows SCTP on port 9 and TCP on port 80.
		16	Unfortunately, if the SCTP conntrack module is not loaded, this allows
		17	all SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
		18	which we think is a security issue.
		19
		20	This is because on the first SCTP packet on port 9, we create a dummy
		21	"generic l4" conntrack entry without any port information (since
		22	conntrack doesn't know how to extract this information).
		23
		24	All subsequent packets that are unknown will then be in established
		25	state since they will fallback to proto_generic and will match the
		26	'generic' entry.
		27
		28	Our originally proposed version [1] completely disabled generic protocol
		29	tracking, but Jozsef suggests to not track protocols for which a more
		30	suitable helper is available, hence we now mitigate the issue for in
		31	tree known ct protocol helpers only, so that at least NAT and direction
		32	information will still be preserved for others.
		33
		34	[1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
		35
		36	Joint work with Daniel Borkmann.
		37
		38	Fixes CVE-2014-8160.
		39	Upstream-Status: Backport
		40
		41	Signed-off-by: Florian Westphal <fw@strlen.de>
		42	Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
		43	Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
		44	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
		45	Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com>
		46	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		47	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		48	---
		49	net/netfilter/nf_conntrack_proto_generic.c \| 26 +++++++++++++++++++++++++-
		50	1 file changed, 25 insertions(+), 1 deletion(-)
		51
		52	diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
		53	index d25f293..957c1db 100644
		54	--- a/net/netfilter/nf_conntrack_proto_generic.c
		55	+++ b/net/netfilter/nf_conntrack_proto_generic.c
		56	@@ -14,6 +14,30 @@
		57
		58	static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
		59
		60	+static bool nf_generic_should_process(u8 proto)
		61	+{
		62	+ switch (proto) {
		63	+#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
		64	+ case IPPROTO_SCTP:
		65	+ return false;
		66	+#endif
		67	+#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
		68	+ case IPPROTO_DCCP:
		69	+ return false;
		70	+#endif
		71	+#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
		72	+ case IPPROTO_GRE:
		73	+ return false;
		74	+#endif
		75	+#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
		76	+ case IPPROTO_UDPLITE:
		77	+ return false;
		78	+#endif
		79	+ default:
		80	+ return true;
		81	+ }
		82	+}
		83	+
		84	static inline struct nf_generic_net generic_pernet(struct net net)
		85	{
		86	return &net->ct.nf_ct_proto.generic;
		87	@@ -67,7 +91,7 @@ static int generic_packet(struct nf_conn *ct,
		88	static bool generic_new(struct nf_conn ct, const struct sk_buff skb,
		89	unsigned int dataoff, unsigned int *timeouts)
		90	{
		91	- return true;
		92	+ return nf_generic_should_process(nf_ct_protonum(ct));
		93	}
		94
		95	#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
		96	--
		97	cgit v0.11.2
		98


diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 0f6b5f1..b7933d1 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -2,6 +2,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
2		2
3	SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \	3	SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \
4	file://splice-CVE-2014-7822-3.14-kernel.patch \	4	file://splice-CVE-2014-7822-3.14-kernel.patch \
		5	file://netfilter-CVE-2014-8160-3.14-kernel.patch \
5	file://keys-CVE-2015-1333.patch \	6	file://keys-CVE-2015-1333.patch \
6	file://udp_fix_behavior_of_wrong_checksums.patch \	7	file://udp_fix_behavior_of_wrong_checksums.patch \
7	file://net-CVE-2015-2041.patch \	8	file://net-CVE-2015-2041.patch \