kernel: net: CVE-2015-2041

Fixes information leak in llc2_timeout_table. References: http://www.openwall.com/lists/oss-security/2015/02/20/19 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2041 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=ecca64226ce2960280921e09ae33e90f82b5c408 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-11-20 12:54:04 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2015-11-20 19:41:28 +0100
commit: b03530492a27f14a49010d411e9b8d753b7fe48a (patch)
tree: 3df67a5de82d647d5ab386cca365c43785a2999f
parent: fbdcccc729c468e927ae1e2a86493834ff0ace2a (diff)
download: meta-enea-b03530492a27f14a49010d411e9b8d753b7fe48a.tar.gz
2 files changed, 63 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/net-CVE-2015-2041.patch b/recipes-kernel/linux/files/net-CVE-2015-2041.patch
new file mode 100644
index 0000000..e0754cd
--- /dev/null
+++ b/recipes-kernel/linux/files/net-CVE-2015-2041.patch
@@ -0,0 +1,62 @@
+From ecca64226ce2960280921e09ae33e90f82b5c408 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Fri, 23 Jan 2015 20:47:00 -0500
+Subject: [PATCH] net: llc: use correct size for sysctl timeout entries
+commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream.
+The timeout entries are sizeof(int) rather than sizeof(long), which
+means that when they were getting read we'd also leak kernel memory
+to userspace along with the timeout values.
+Fixes CVE-2015-2041
+Upstream-Status: Backport
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/llc/sysctl_net_llc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
+index 612a5dd..799bafc 100644
+--- a/net/llc/sysctl_net_llc.c
+++ b/net/llc/sysctl_net_llc.c
+@@ -18,28 +18,28 @@ static struct ctl_table llc2_timeout_table[] = {
+        {
+                .procname       = "ack",
+                .data           = &sysctl_llc2_ack_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_ack_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+        {
+                .procname       = "busy",
+                .data           = &sysctl_llc2_busy_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_busy_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+        {
+                .procname       = "p",
+                .data           = &sysctl_llc2_p_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_p_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+        {
+                .procname       = "rej",
+                .data           = &sysctl_llc2_rej_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_rej_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index bab3136..5b7cdf3 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -3,4 +3,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \
            file://keys-CVE-2015-1333.patch \
            file://udp_fix_behavior_of_wrong_checksums.patch \
+            file://net-CVE-2015-2041.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-11-20 12:54:04 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2015-11-20 19:41:28 +0100
commit	b03530492a27f14a49010d411e9b8d753b7fe48a (patch)
tree	3df67a5de82d647d5ab386cca365c43785a2999f
parent	fbdcccc729c468e927ae1e2a86493834ff0ace2a (diff)
download	meta-enea-b03530492a27f14a49010d411e9b8d753b7fe48a.tar.gz

diff --git a/recipes-kernel/linux/files/net-CVE-2015-2041.patch b/recipes-kernel/linux/files/net-CVE-2015-2041.patch new file mode 100644 index 0000000..e0754cd --- /dev/null +++ b/recipes-kernel/linux/files/net-CVE-2015-2041.patch
@@ -0,0 +1,62 @@
		1	From ecca64226ce2960280921e09ae33e90f82b5c408 Mon Sep 17 00:00:00 2001
		2	From: Sasha Levin <sasha.levin@oracle.com>
		3	Date: Fri, 23 Jan 2015 20:47:00 -0500
		4	Subject: [PATCH] net: llc: use correct size for sysctl timeout entries
		5
		6	commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream.
		7
		8	The timeout entries are sizeof(int) rather than sizeof(long), which
		9	means that when they were getting read we'd also leak kernel memory
		10	to userspace along with the timeout values.
		11
		12	Fixes CVE-2015-2041
		13	Upstream-Status: Backport
		14
		15	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
		16	Signed-off-by: David S. Miller <davem@davemloft.net>
		17	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		18	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		19	---
		20	net/llc/sysctl_net_llc.c \| 8 ++++----
		21	1 file changed, 4 insertions(+), 4 deletions(-)
		22
		23	diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
		24	index 612a5dd..799bafc 100644
		25	--- a/net/llc/sysctl_net_llc.c
		26	+++ b/net/llc/sysctl_net_llc.c
		27	@@ -18,28 +18,28 @@ static struct ctl_table llc2_timeout_table[] = {
		28	{
		29	.procname = "ack",
		30	.data = &sysctl_llc2_ack_timeout,
		31	- .maxlen = sizeof(long),
		32	+ .maxlen = sizeof(sysctl_llc2_ack_timeout),
		33	.mode = 0644,
		34	.proc_handler = proc_dointvec_jiffies,
		35	},
		36	{
		37	.procname = "busy",
		38	.data = &sysctl_llc2_busy_timeout,
		39	- .maxlen = sizeof(long),
		40	+ .maxlen = sizeof(sysctl_llc2_busy_timeout),
		41	.mode = 0644,
		42	.proc_handler = proc_dointvec_jiffies,
		43	},
		44	{
		45	.procname = "p",
		46	.data = &sysctl_llc2_p_timeout,
		47	- .maxlen = sizeof(long),
		48	+ .maxlen = sizeof(sysctl_llc2_p_timeout),
		49	.mode = 0644,
		50	.proc_handler = proc_dointvec_jiffies,
		51	},
		52	{
		53	.procname = "rej",
		54	.data = &sysctl_llc2_rej_timeout,
		55	- .maxlen = sizeof(long),
		56	+ .maxlen = sizeof(sysctl_llc2_rej_timeout),
		57	.mode = 0644,
		58	.proc_handler = proc_dointvec_jiffies,
		59	},
		60	--
		61	1.9.1
		62


diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index bab3136..5b7cdf3 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -3,4 +3,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
3	SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \	3	SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch \
4	file://keys-CVE-2015-1333.patch \	4	file://keys-CVE-2015-1333.patch \
5	file://udp_fix_behavior_of_wrong_checksums.patch \	5	file://udp_fix_behavior_of_wrong_checksums.patch \
		6	file://net-CVE-2015-2041.patch \
6	"	7	"