From 7cbee3a8d8f99476493ba634db9ff9228f08ee16 Mon Sep 17 00:00:00 2001 From: Ting Liu Date: Fri, 17 Mar 2017 15:51:06 +0800 Subject: linux-qoriq: update to b14540e * merged upstream v4.1.35 release. * support LS1012A * Includes additional workarounds for Chip Errata: A-010284, A-010150, A-008975 Signed-off-by: Zhenhua Luo Signed-off-by: Otavio Salvador --- .../CVE-2016-5696-limiting-of-all-challenge.patch | 111 --------------------- ...5696-make-challenge-acks-less-predictable.patch | 90 ----------------- recipes-kernel/linux/linux-qoriq_4.1.bb | 5 +- 3 files changed, 2 insertions(+), 204 deletions(-) delete mode 100644 recipes-kernel/linux/linux-qoriq/CVE-2016-5696-limiting-of-all-challenge.patch delete mode 100644 recipes-kernel/linux/linux-qoriq/CVE-2016-5696-make-challenge-acks-less-predictable.patch (limited to 'recipes-kernel') diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-5696-limiting-of-all-challenge.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-5696-limiting-of-all-challenge.patch deleted file mode 100644 index d1f97cd5..00000000 --- a/recipes-kernel/linux/linux-qoriq/CVE-2016-5696-limiting-of-all-challenge.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 5413f1a526d2d51d7a5768133c90936c017165c6 Mon Sep 17 00:00:00 2001 -From: Jason Baron -Date: Thu, 14 Jul 2016 11:38:40 -0400 -Subject: [PATCH] tcp: enable per-socket rate limiting of all 'challenge acks' - -[ Upstream commit 083ae308280d13d187512b9babe3454342a7987e ] - -The per-socket rate limit for 'challenge acks' was introduced in the -context of limiting ack loops: - -commit f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock") - -And I think it can be extended to rate limit all 'challenge acks' on a -per-socket basis. - -Since we have the global tcp_challenge_ack_limit, this patch allows for -tcp_challenge_ack_limit to be set to a large value and effectively rely on -the per-socket limit, or set tcp_challenge_ack_limit to a lower value and -still prevents a single connections from consuming the entire challenge ack -quota. - -It further moves in the direction of eliminating the global limit at some -point, as Eric Dumazet has suggested. This a follow-up to: -Subject: tcp: make challenge acks less predictable - -CVE: CVE-2016-5696 -Upstream-Status: Backport - -Cc: Eric Dumazet -Cc: David S. Miller -Cc: Neal Cardwell -Cc: Yuchung Cheng -Cc: Yue Cao -Signed-off-by: Jason Baron -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi -Signed-off-by: Adrian Dudau - ---- - net/ipv4/tcp_input.c | 39 ++++++++++++++++++++++----------------- - 1 file changed, 22 insertions(+), 17 deletions(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 05f10df..12b98e2 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -3390,6 +3390,23 @@ static int tcp_ack_update_window(struct sock *sk, const struct sk_buff *skb, u32 - return flag; - } - -+static bool __tcp_oow_rate_limited(struct net *net, int mib_idx, -+ u32 *last_oow_ack_time) -+{ -+ if (*last_oow_ack_time) { -+ s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); -+ -+ if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { -+ NET_INC_STATS_BH(net, mib_idx); -+ return true; /* rate-limited: don't send yet! */ -+ } -+ } -+ -+ *last_oow_ack_time = tcp_time_stamp; -+ -+ return false; /* not rate-limited: go ahead, send dupack now! */ -+} -+ - /* Return true if we're currently rate-limiting out-of-window ACKs and - * thus shouldn't send a dupack right now. We rate-limit dupacks in - * response to out-of-window SYNs or ACKs to mitigate ACK loops or DoS -@@ -3403,21 +3420,9 @@ bool tcp_oow_rate_limited(struct net *net, const struct sk_buff *skb, - /* Data packets without SYNs are not likely part of an ACK loop. */ - if ((TCP_SKB_CB(skb)->seq != TCP_SKB_CB(skb)->end_seq) && - !tcp_hdr(skb)->syn) -- goto not_rate_limited; -- -- if (*last_oow_ack_time) { -- s32 elapsed = (s32)(tcp_time_stamp - *last_oow_ack_time); -- -- if (0 <= elapsed && elapsed < sysctl_tcp_invalid_ratelimit) { -- NET_INC_STATS_BH(net, mib_idx); -- return true; /* rate-limited: don't send yet! */ -- } -- } -- -- *last_oow_ack_time = tcp_time_stamp; -+ return false; - --not_rate_limited: -- return false; /* not rate-limited: go ahead, send dupack now! */ -+ return __tcp_oow_rate_limited(net, mib_idx, last_oow_ack_time); - } - - /* RFC 5961 7 [ACK Throttling] */ -@@ -3430,9 +3435,9 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) - u32 count, now; - - /* First check our per-socket dupack rate limit. */ -- if (tcp_oow_rate_limited(sock_net(sk), skb, -- LINUX_MIB_TCPACKSKIPPEDCHALLENGE, -- &tp->last_oow_ack_time)) -+ if (__tcp_oow_rate_limited(sock_net(sk), -+ LINUX_MIB_TCPACKSKIPPEDCHALLENGE, -+ &tp->last_oow_ack_time)) - return; - - /* Then check host-wide RFC 5961 rate limit. */ --- -1.9.1 - diff --git a/recipes-kernel/linux/linux-qoriq/CVE-2016-5696-make-challenge-acks-less-predictable.patch b/recipes-kernel/linux/linux-qoriq/CVE-2016-5696-make-challenge-acks-less-predictable.patch deleted file mode 100644 index 072671a2..00000000 --- a/recipes-kernel/linux/linux-qoriq/CVE-2016-5696-make-challenge-acks-less-predictable.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 72c2d3bccaba4a0a4de354f9d2d24eccd05bfccf Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Sun, 10 Jul 2016 10:04:02 +0200 -Subject: [PATCH] tcp: make challenge acks less predictable - -[ Upstream commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 ] - -Yue Cao claims that current host rate limiting of challenge ACKS -(RFC 5961) could leak enough information to allow a patient attacker -to hijack TCP sessions. He will soon provide details in an academic -paper. - -This patch increases the default limit from 100 to 1000, and adds -some randomization so that the attacker can no longer hijack -sessions without spending a considerable amount of probes. - -Based on initial analysis and patch from Linus. - -Note that we also have per socket rate limiting, so it is tempting -to remove the host limit in the future. - -v2: randomize the count of challenge acks per second, not the period. - -CVE: CVE-2016-5696 -Upstream-Status: Backport - -Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") -Reported-by: Yue Cao -Signed-off-by: Eric Dumazet -Suggested-by: Linus Torvalds -Cc: Yuchung Cheng -Cc: Neal Cardwell -Acked-by: Neal Cardwell -Acked-by: Yuchung Cheng -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sona Sarmadi -Signed-off-by: Adrian Dudau - ---- - net/ipv4/tcp_input.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index d4c5115..05f10df 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -89,7 +89,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1; - EXPORT_SYMBOL(sysctl_tcp_adv_win_scale); - - /* rfc5961 challenge ack rate limiting */ --int sysctl_tcp_challenge_ack_limit = 100; -+int sysctl_tcp_challenge_ack_limit = 1000; - - int sysctl_tcp_stdurg __read_mostly; - int sysctl_tcp_rfc1337 __read_mostly; -@@ -3427,7 +3427,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) - static u32 challenge_timestamp; - static unsigned int challenge_count; - struct tcp_sock *tp = tcp_sk(sk); -- u32 now; -+ u32 count, now; - - /* First check our per-socket dupack rate limit. */ - if (tcp_oow_rate_limited(sock_net(sk), skb, -@@ -3435,13 +3435,18 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) - &tp->last_oow_ack_time)) - return; - -- /* Then check the check host-wide RFC 5961 rate limit. */ -+ /* Then check host-wide RFC 5961 rate limit. */ - now = jiffies / HZ; - if (now != challenge_timestamp) { -+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; -+ - challenge_timestamp = now; -- challenge_count = 0; -+ WRITE_ONCE(challenge_count, half + -+ prandom_u32_max(sysctl_tcp_challenge_ack_limit)); - } -- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) { -+ count = READ_ONCE(challenge_count); -+ if (count > 0) { -+ WRITE_ONCE(challenge_count, count - 1); - NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); - tcp_send_ack(sk); - } --- -1.9.1 - diff --git a/recipes-kernel/linux/linux-qoriq_4.1.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb index 587ecd9d..6c2b2351 100644 --- a/recipes-kernel/linux/linux-qoriq_4.1.bb +++ b/recipes-kernel/linux/linux-qoriq_4.1.bb @@ -13,12 +13,10 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ file://fix-the-compile-issue-under-gcc6.patch \ file://only-set-vmpic_msi_feature-if-CONFIG_EPAPR_PARAVIRT-.patch \ file://powerpc-fsl-Fix-build-of-the-dtb-embedded-kernel-images.patch \ - file://CVE-2016-5696-limiting-of-all-challenge.patch \ - file://CVE-2016-5696-make-challenge-acks-less-predictable.patch \ file://CVE-2016-2053.patch \ file://CVE-2016-0758.patch \ " -SRCREV = "4004071c129a776136e71f6a85383fea87f5db75" +SRCREV = "b14540ee315f79f6a5dfc621e7f4217c8fac7d1c" S = "${WORKDIR}/git" @@ -37,6 +35,7 @@ SCMVERSION ?= "y" LOCALVERSION = "" DELTA_KERNEL_DEFCONFIG ?= "" DELTA_KERNEL_DEFCONFIG_prepend_qoriq-arm64 = "freescale.config " +DELTA_KERNEL_DEFCONFIG_prepend_fsl-lsch2-32b = "freescale_aarch32.config " do_merge_delta_config() { # copy desired defconfig so we pick it up for the real kernel_do_configure -- cgit v1.2.3-54-g00ecf