diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-08 15:05:54 +0100 |
---|---|---|
committer | Paul Vaduva <Paul.Vaduva@enea.com> | 2016-01-11 12:43:54 +0100 |
commit | 297be792a99a2ffdb13871f07bfb35eef6febdf2 (patch) | |
tree | dd6cf9b752ba958de00e2bee7b4c2f043eb22d0e | |
parent | 1ab831fc573b2a6db71d41fe0f0e47b643cbc863 (diff) | |
download | meta-enea-297be792a99a2ffdb13871f07bfb35eef6febdf2.tar.gz |
netfilter: CVE-2014-8160
Fixes a flaw in the Linux kernel's netfilter subsystem.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8160
Upstrem fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=efbf300ed821a533c3af71b1b122227febc28142
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/netfilter-CVE-2014-8160-3.14-kernel.patch | 98 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
2 files changed, 99 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/netfilter-CVE-2014-8160-3.14-kernel.patch b/recipes-kernel/linux/files/netfilter-CVE-2014-8160-3.14-kernel.patch new file mode 100644 index 0000000..9e56598 --- /dev/null +++ b/recipes-kernel/linux/files/netfilter-CVE-2014-8160-3.14-kernel.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From efbf300ed821a533c3af71b1b122227febc28142 Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Westphal <fw@strlen.de> | ||
3 | Date: Fri, 26 Sep 2014 11:35:42 +0200 | ||
4 | Subject: netfilter: conntrack: disable generic tracking for known protocols | ||
5 | |||
6 | commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream. | ||
7 | |||
8 | Given following iptables ruleset: | ||
9 | |||
10 | -P FORWARD DROP | ||
11 | -A FORWARD -m sctp --dport 9 -j ACCEPT | ||
12 | -A FORWARD -p tcp --dport 80 -j ACCEPT | ||
13 | -A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT | ||
14 | |||
15 | One would assume that this allows SCTP on port 9 and TCP on port 80. | ||
16 | Unfortunately, if the SCTP conntrack module is not loaded, this allows | ||
17 | *all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT, | ||
18 | which we think is a security issue. | ||
19 | |||
20 | This is because on the first SCTP packet on port 9, we create a dummy | ||
21 | "generic l4" conntrack entry without any port information (since | ||
22 | conntrack doesn't know how to extract this information). | ||
23 | |||
24 | All subsequent packets that are unknown will then be in established | ||
25 | state since they will fallback to proto_generic and will match the | ||
26 | 'generic' entry. | ||
27 | |||
28 | Our originally proposed version [1] completely disabled generic protocol | ||
29 | tracking, but Jozsef suggests to not track protocols for which a more | ||
30 | suitable helper is available, hence we now mitigate the issue for in | ||
31 | tree known ct protocol helpers only, so that at least NAT and direction | ||
32 | information will still be preserved for others. | ||
33 | |||
34 | [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html | ||
35 | |||
36 | Joint work with Daniel Borkmann. | ||
37 | |||
38 | Fixes CVE-2014-8160. | ||
39 | Upstream-Status: Backport | ||
40 | |||
41 | Signed-off-by: Florian Westphal <fw@strlen.de> | ||
42 | Signed-off-by: Daniel Borkmann <dborkman@redhat.com> | ||
43 | Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | ||
44 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> | ||
45 | Signed-off-by: Zhiqiang Zhang <zhangzhiqiang.zhang@huawei.com> | ||
46 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
47 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
48 | --- | ||
49 | net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++- | ||
50 | 1 file changed, 25 insertions(+), 1 deletion(-) | ||
51 | |||
52 | diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c | ||
53 | index d25f293..957c1db 100644 | ||
54 | --- a/net/netfilter/nf_conntrack_proto_generic.c | ||
55 | +++ b/net/netfilter/nf_conntrack_proto_generic.c | ||
56 | @@ -14,6 +14,30 @@ | ||
57 | |||
58 | static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ; | ||
59 | |||
60 | +static bool nf_generic_should_process(u8 proto) | ||
61 | +{ | ||
62 | + switch (proto) { | ||
63 | +#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE | ||
64 | + case IPPROTO_SCTP: | ||
65 | + return false; | ||
66 | +#endif | ||
67 | +#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE | ||
68 | + case IPPROTO_DCCP: | ||
69 | + return false; | ||
70 | +#endif | ||
71 | +#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE | ||
72 | + case IPPROTO_GRE: | ||
73 | + return false; | ||
74 | +#endif | ||
75 | +#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE | ||
76 | + case IPPROTO_UDPLITE: | ||
77 | + return false; | ||
78 | +#endif | ||
79 | + default: | ||
80 | + return true; | ||
81 | + } | ||
82 | +} | ||
83 | + | ||
84 | static inline struct nf_generic_net *generic_pernet(struct net *net) | ||
85 | { | ||
86 | return &net->ct.nf_ct_proto.generic; | ||
87 | @@ -67,7 +91,7 @@ static int generic_packet(struct nf_conn *ct, | ||
88 | static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb, | ||
89 | unsigned int dataoff, unsigned int *timeouts) | ||
90 | { | ||
91 | - return true; | ||
92 | + return nf_generic_should_process(nf_ct_protonum(ct)); | ||
93 | } | ||
94 | |||
95 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | ||
96 | -- | ||
97 | cgit v0.11.2 | ||
98 | |||
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 0f6b5f1..b7933d1 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
@@ -2,6 +2,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | |||
2 | 2 | ||
3 | SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \ | 3 | SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \ |
4 | file://splice-CVE-2014-7822-3.14-kernel.patch \ | 4 | file://splice-CVE-2014-7822-3.14-kernel.patch \ |
5 | file://netfilter-CVE-2014-8160-3.14-kernel.patch \ | ||
5 | file://keys-CVE-2015-1333.patch \ | 6 | file://keys-CVE-2015-1333.patch \ |
6 | file://udp_fix_behavior_of_wrong_checksums.patch \ | 7 | file://udp_fix_behavior_of_wrong_checksums.patch \ |
7 | file://net-CVE-2015-2041.patch \ | 8 | file://net-CVE-2015-2041.patch \ |