sctp: CVE-2014-4667

sk_ack_backlog wrap-around problem Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4667 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-01-27 14:04:10 +0100
committer: Zhenhua Luo <zhenhua.luo@freescale.com> 2015-02-03 10:10:41 +0800
commit: d063ec68425094eebf2e5d50e8f410456a8f5143 (patch)
tree: 74dcb45d8da97f3b63190af6bbe0c8ee6ffdac08
parent: 11517177c55782761a22a6daab4e1569ebf0ef13 (diff)
download: meta-fsl-ppc-d063ec68425094eebf2e5d50e8f410456a8f5143.tar.gz
2 files changed, 52 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
new file mode 100644
index 0000000..e7b1228
--- /dev/null
+++ b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
@@ -0,0 +1,51 @@
+From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001
+From: Xufeng Zhang <xufeng.zhang@windriver.com>
+Date: Thu, 12 Jun 2014 10:53:36 +0800
+Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem
+[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ]
+Consider the scenario:
+For a TCP-style socket, while processing the COOKIE_ECHO chunk in
+sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
+a new association would be created in sctp_unpack_cookie(), but afterwards,
+some processing maybe failed, and sctp_association_free() will be called to
+free the previously allocated association, in sctp_association_free(),
+sk_ack_backlog value is decremented for this socket, since the initial
+value for sk_ack_backlog is 0, after the decrement, it will be 65535,
+a wrap-around problem happens, and if we want to establish new associations
+afterward in the same socket, ABORT would be triggered since sctp deem the
+accept queue as full.
+Fix this issue by only decrementing sk_ack_backlog for associations in
+the endpoint's list.
+Fixes CVE-2014-4667
+Upstream-Status: Backport
+Fix-suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
+Acked-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/sctp/associola.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c
+index cef5099..f6d6dcd 100644
+--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
+@@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc)
+        /* Only real associations count against the endpoint, so
+         * don't bother for if this is a temporary association.
+         */
+-       if (!asoc->temp) {
+       if (!list_empty(&asoc->asocs)) {
+                list_del(&asoc->asocs);
+ 
+                /* Decrement the backlog value for a TCP-style listening
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 90ccedd..2cd8ce9 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -25,6 +25,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://auditsc-CVE-2014-3917.patch \
    file://0001-ALSA-CVE-2014-4652.patch \
    file://0002-ALSA-CVE-2014-4653.patch \
+    file://sctp-CVE-2014-4667.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-01-27 14:04:10 +0100
committer	Zhenhua Luo <zhenhua.luo@freescale.com>	2015-02-03 10:10:41 +0800
commit	d063ec68425094eebf2e5d50e8f410456a8f5143 (patch)
tree	74dcb45d8da97f3b63190af6bbe0c8ee6ffdac08
parent	11517177c55782761a22a6daab4e1569ebf0ef13 (diff)
download	meta-fsl-ppc-d063ec68425094eebf2e5d50e8f410456a8f5143.tar.gz

diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch new file mode 100644 index 0000000..e7b1228 --- /dev/null +++ b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
@@ -0,0 +1,51 @@
		1	From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001
		2	From: Xufeng Zhang <xufeng.zhang@windriver.com>
		3	Date: Thu, 12 Jun 2014 10:53:36 +0800
		4	Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem
		5
		6	[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ]
		7
		8	Consider the scenario:
		9	For a TCP-style socket, while processing the COOKIE_ECHO chunk in
		10	sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
		11	a new association would be created in sctp_unpack_cookie(), but afterwards,
		12	some processing maybe failed, and sctp_association_free() will be called to
		13	free the previously allocated association, in sctp_association_free(),
		14	sk_ack_backlog value is decremented for this socket, since the initial
		15	value for sk_ack_backlog is 0, after the decrement, it will be 65535,
		16	a wrap-around problem happens, and if we want to establish new associations
		17	afterward in the same socket, ABORT would be triggered since sctp deem the
		18	accept queue as full.
		19	Fix this issue by only decrementing sk_ack_backlog for associations in
		20	the endpoint's list.
		21
		22	Fixes CVE-2014-4667
		23	Upstream-Status: Backport
		24
		25	Fix-suggested-by: Neil Horman <nhorman@tuxdriver.com>
		26	Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
		27	Acked-by: Daniel Borkmann <dborkman@redhat.com>
		28	Acked-by: Vlad Yasevich <vyasevich@gmail.com>
		29	Signed-off-by: David S. Miller <davem@davemloft.net>
		30	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		31	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		32	---
		33	net/sctp/associola.c \| 2 +-
		34	1 file changed, 1 insertion(+), 1 deletion(-)
		35
		36	diff --git a/net/sctp/associola.c b/net/sctp/associola.c
		37	index cef5099..f6d6dcd 100644
		38	--- a/net/sctp/associola.c
		39	+++ b/net/sctp/associola.c
		40	@@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc)
		41	/* Only real associations count against the endpoint, so
		42	* don't bother for if this is a temporary association.
		43	*/
		44	- if (!asoc->temp) {
		45	+ if (!list_empty(&asoc->asocs)) {
		46	list_del(&asoc->asocs);
		47
		48	/* Decrement the backlog value for a TCP-style listening
		49	--
		50	1.9.1
		51


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 90ccedd..2cd8ce9 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -25,6 +25,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
25	file://auditsc-CVE-2014-3917.patch \	25	file://auditsc-CVE-2014-3917.patch \
26	file://0001-ALSA-CVE-2014-4652.patch \	26	file://0001-ALSA-CVE-2014-4652.patch \
27	file://0002-ALSA-CVE-2014-4653.patch \	27	file://0002-ALSA-CVE-2014-4653.patch \
		28	file://sctp-CVE-2014-4667.patch \
28	"	29	"
29	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	30	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
30		31