net: CVE-2015-2041

Fixes information leak in llc2_timeout_table. References: http://www.openwall.com/lists/oss-security/2015/02/20/19 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2041 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch /?id=553dd569ff29bc38cebbf9f9dd7c791863ee9113 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-12-15 13:57:32 +0100
committer: Zhenhua Luo <zhenhua.luo@nxp.com> 2015-12-21 13:56:23 +0800
commit: 386c14696530aa137f662c19383f702b05b578ee (patch)
tree: 7d61e7e3ae57a1d917bb0b78af562d389357e073
parent: 3518613fa48ac30c20b67731c60acc92dd11abc1 (diff)
download: meta-fsl-ppc-386c14696530aa137f662c19383f702b05b578ee.tar.gz
2 files changed, 63 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/net-CVE-2015-2041.patch b/recipes-kernel/linux/files/net-CVE-2015-2041.patch
new file mode 100644
index 0000000..a62f2ea
--- /dev/null
+++ b/recipes-kernel/linux/files/net-CVE-2015-2041.patch
@@ -0,0 +1,62 @@
+From 553dd569ff29bc38cebbf9f9dd7c791863ee9113 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Fri, 23 Jan 2015 20:47:00 -0500
+Subject: net: llc: use correct size for sysctl timeout entries
+commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream.
+The timeout entries are sizeof(int) rather than sizeof(long), which
+means that when they were getting read we'd also leak kernel memory
+to userspace along with the timeout values.
+Fixes CVE-2015-2041
+Upstream-Status: Backport
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/llc/sysctl_net_llc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
+index 612a5dd..799bafc 100644
+--- a/net/llc/sysctl_net_llc.c
+++ b/net/llc/sysctl_net_llc.c
+@@ -18,28 +18,28 @@ static struct ctl_table llc2_timeout_table[] = {
+        {
+                .procname       = "ack",
+                .data           = &sysctl_llc2_ack_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_ack_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+        {
+                .procname       = "busy",
+                .data           = &sysctl_llc2_busy_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_busy_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+        {
+                .procname       = "p",
+                .data           = &sysctl_llc2_p_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_p_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+        {
+                .procname       = "rej",
+                .data           = &sysctl_llc2_rej_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_rej_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 8587b48..4a2ea43 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -36,6 +36,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://mm-CVE-2014-3122.patch \
    file://media-ttusb-dec-CVE-2014-8884.patch \
    file://net-sctp-CVE-2015-1421.patch \
+    file://net-CVE-2015-2041.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-12-15 13:57:32 +0100
committer	Zhenhua Luo <zhenhua.luo@nxp.com>	2015-12-21 13:56:23 +0800
commit	386c14696530aa137f662c19383f702b05b578ee (patch)
tree	7d61e7e3ae57a1d917bb0b78af562d389357e073
parent	3518613fa48ac30c20b67731c60acc92dd11abc1 (diff)
download	meta-fsl-ppc-386c14696530aa137f662c19383f702b05b578ee.tar.gz

diff --git a/recipes-kernel/linux/files/net-CVE-2015-2041.patch b/recipes-kernel/linux/files/net-CVE-2015-2041.patch new file mode 100644 index 0000000..a62f2ea --- /dev/null +++ b/recipes-kernel/linux/files/net-CVE-2015-2041.patch
@@ -0,0 +1,62 @@
		1	From 553dd569ff29bc38cebbf9f9dd7c791863ee9113 Mon Sep 17 00:00:00 2001
		2	From: Sasha Levin <sasha.levin@oracle.com>
		3	Date: Fri, 23 Jan 2015 20:47:00 -0500
		4	Subject: net: llc: use correct size for sysctl timeout entries
		5
		6	commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream.
		7
		8	The timeout entries are sizeof(int) rather than sizeof(long), which
		9	means that when they were getting read we'd also leak kernel memory
		10	to userspace along with the timeout values.
		11
		12	Fixes CVE-2015-2041
		13	Upstream-Status: Backport
		14
		15	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
		16	Signed-off-by: David S. Miller <davem@davemloft.net>
		17	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		18	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		19	---
		20	net/llc/sysctl_net_llc.c \| 8 ++++----
		21	1 file changed, 4 insertions(+), 4 deletions(-)
		22
		23	diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
		24	index 612a5dd..799bafc 100644
		25	--- a/net/llc/sysctl_net_llc.c
		26	+++ b/net/llc/sysctl_net_llc.c
		27	@@ -18,28 +18,28 @@ static struct ctl_table llc2_timeout_table[] = {
		28	{
		29	.procname = "ack",
		30	.data = &sysctl_llc2_ack_timeout,
		31	- .maxlen = sizeof(long),
		32	+ .maxlen = sizeof(sysctl_llc2_ack_timeout),
		33	.mode = 0644,
		34	.proc_handler = proc_dointvec_jiffies,
		35	},
		36	{
		37	.procname = "busy",
		38	.data = &sysctl_llc2_busy_timeout,
		39	- .maxlen = sizeof(long),
		40	+ .maxlen = sizeof(sysctl_llc2_busy_timeout),
		41	.mode = 0644,
		42	.proc_handler = proc_dointvec_jiffies,
		43	},
		44	{
		45	.procname = "p",
		46	.data = &sysctl_llc2_p_timeout,
		47	- .maxlen = sizeof(long),
		48	+ .maxlen = sizeof(sysctl_llc2_p_timeout),
		49	.mode = 0644,
		50	.proc_handler = proc_dointvec_jiffies,
		51	},
		52	{
		53	.procname = "rej",
		54	.data = &sysctl_llc2_rej_timeout,
		55	- .maxlen = sizeof(long),
		56	+ .maxlen = sizeof(sysctl_llc2_rej_timeout),
		57	.mode = 0644,
		58	.proc_handler = proc_dointvec_jiffies,
		59	},
		60	--
		61	1.9.1
		62


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 8587b48..4a2ea43 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -36,6 +36,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
36	file://mm-CVE-2014-3122.patch \	36	file://mm-CVE-2014-3122.patch \
37	file://media-ttusb-dec-CVE-2014-8884.patch \	37	file://media-ttusb-dec-CVE-2014-8884.patch \
38	file://net-sctp-CVE-2015-1421.patch \	38	file://net-sctp-CVE-2015-1421.patch \
		39	file://net-CVE-2015-2041.patch \
39	"	40	"
40	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	41	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
41		42