kernel-udp: CVE-2015-5364, CVE-2015-5366

This fixes incorrect processing of checksums in UDP implementation References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5364 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5366 http://www.openwall.com/lists/oss-security/2015/07/10/3 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=a97b54dd69cb05df4c57f5d5b40c761f7835ce4e Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-09-25 14:37:00 +0200
committer: Sona Sarmadi <sona.sarmadi@enea.com> 2016-02-09 08:34:01 +0100
commit: 945103b85c6c8289722ca31dcd7c137e77b87186 (patch)
tree: 8a60eb0f9e23c9e43c7192d197a8e9478e136ba7
parent: b97bb0c7e61223260f7b4ac7b754bd437186361a (diff)
download: meta-fsl-ppc-945103b85c6c8289722ca31dcd7c137e77b87186.tar.gz
2 files changed, 73 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch b/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch
new file mode 100644
index 0000000..43f2dbf
--- /dev/null
+++ b/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch
@@ -0,0 +1,72 @@
+From a97b54dd69cb05df4c57f5d5b40c761f7835ce4e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 30 May 2015 09:16:53 -0700
+Subject: [PATCH] udp: fix behavior of wrong checksums
+[ Upstream commit beb39db59d14990e401e235faf66a6b9b31240b0 ]
+We have two problems in UDP stack related to bogus checksums :
+1) We return -EAGAIN to application even if receive queue is not empty.
+   This breaks applications using edge trigger epoll()
+2) Under UDP flood, we can loop forever without yielding to other
+   processes, potentially hanging the host, especially on non SMP.
+This patch is an attempt to make things better.
+We might in the future add extra support for rt applications
+wanting to better control time spent doing a recv() in a hostile
+environment. For example we could validate checksums before queuing
+packets in socket receive queue.
+Fixes CVE-2015-5364 and CVE-2015-5366.
+Upstream-Status: backport
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/ipv4/udp.c | 6 ++----
+ net/ipv6/udp.c | 6 ++----
+ 2 files changed, 4 insertions(+), 8 deletions(-)
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 6ca9907..268ed25 100644
+--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
+@@ -1295,10 +1295,8 @@ csum_copy_err:
+        }
+        unlock_sock_fast(sk, slow);
+ 
+-       if (noblock)
+-               return -EAGAIN;
+-
+-       /* starting over for a new packet */
+       /* starting over for a new packet, but check if we need to yield */
+       cond_resched();
+        msg->msg_flags &= ~MSG_TRUNC;
+        goto try_again;
+ }
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 3d2758d..e09ca28 100644
+--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
+@@ -495,10 +495,8 @@ csum_copy_err:
+        }
+        unlock_sock_fast(sk, slow);
+ 
+-       if (noblock)
+-               return -EAGAIN;
+-
+-       /* starting over for a new packet */
+       /* starting over for a new packet, but check if we need to yield */
+       cond_resched();
+        msg->msg_flags &= ~MSG_TRUNC;
+        goto try_again;
+ }
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 0a2883f..33bcd37 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -32,6 +32,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://futex-CVE-2014-3153.patch \
    file://target-CVE-2014-4027.patch \
    file://fs-isofs-CVE-2014-9420.patch \
+    file://udp-CVE-2015-5364_CVE-2015-5366.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-09-25 14:37:00 +0200
committer	Sona Sarmadi <sona.sarmadi@enea.com>	2016-02-09 08:34:01 +0100
commit	945103b85c6c8289722ca31dcd7c137e77b87186 (patch)
tree	8a60eb0f9e23c9e43c7192d197a8e9478e136ba7
parent	b97bb0c7e61223260f7b4ac7b754bd437186361a (diff)
download	meta-fsl-ppc-945103b85c6c8289722ca31dcd7c137e77b87186.tar.gz

diff --git a/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch b/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch new file mode 100644 index 0000000..43f2dbf --- /dev/null +++ b/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch
@@ -0,0 +1,72 @@
		1	From a97b54dd69cb05df4c57f5d5b40c761f7835ce4e Mon Sep 17 00:00:00 2001
		2	From: Eric Dumazet <edumazet@google.com>
		3	Date: Sat, 30 May 2015 09:16:53 -0700
		4	Subject: [PATCH] udp: fix behavior of wrong checksums
		5
		6	[ Upstream commit beb39db59d14990e401e235faf66a6b9b31240b0 ]
		7
		8	We have two problems in UDP stack related to bogus checksums :
		9
		10	1) We return -EAGAIN to application even if receive queue is not empty.
		11	This breaks applications using edge trigger epoll()
		12
		13	2) Under UDP flood, we can loop forever without yielding to other
		14	processes, potentially hanging the host, especially on non SMP.
		15
		16	This patch is an attempt to make things better.
		17
		18	We might in the future add extra support for rt applications
		19	wanting to better control time spent doing a recv() in a hostile
		20	environment. For example we could validate checksums before queuing
		21	packets in socket receive queue.
		22
		23	Fixes CVE-2015-5364 and CVE-2015-5366.
		24	Upstream-Status: backport
		25
		26	Signed-off-by: Eric Dumazet <edumazet@google.com>
		27	Cc: Willem de Bruijn <willemb@google.com>
		28	Signed-off-by: David S. Miller <davem@davemloft.net>
		29	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		30	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		31	---
		32	net/ipv4/udp.c \| 6 ++----
		33	net/ipv6/udp.c \| 6 ++----
		34	2 files changed, 4 insertions(+), 8 deletions(-)
		35
		36	diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
		37	index 6ca9907..268ed25 100644
		38	--- a/net/ipv4/udp.c
		39	+++ b/net/ipv4/udp.c
		40	@@ -1295,10 +1295,8 @@ csum_copy_err:
		41	}
		42	unlock_sock_fast(sk, slow);
		43
		44	- if (noblock)
		45	- return -EAGAIN;
		46	-
		47	- /* starting over for a new packet */
		48	+ /* starting over for a new packet, but check if we need to yield */
		49	+ cond_resched();
		50	msg->msg_flags &= ~MSG_TRUNC;
		51	goto try_again;
		52	}
		53	diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
		54	index 3d2758d..e09ca28 100644
		55	--- a/net/ipv6/udp.c
		56	+++ b/net/ipv6/udp.c
		57	@@ -495,10 +495,8 @@ csum_copy_err:
		58	}
		59	unlock_sock_fast(sk, slow);
		60
		61	- if (noblock)
		62	- return -EAGAIN;
		63	-
		64	- /* starting over for a new packet */
		65	+ /* starting over for a new packet, but check if we need to yield */
		66	+ cond_resched();
		67	msg->msg_flags &= ~MSG_TRUNC;
		68	goto try_again;
		69	}
		70	--
		71	1.9.1
		72


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 0a2883f..33bcd37 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -32,6 +32,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
32	file://futex-CVE-2014-3153.patch \	32	file://futex-CVE-2014-3153.patch \
33	file://target-CVE-2014-4027.patch \	33	file://target-CVE-2014-4027.patch \
34	file://fs-isofs-CVE-2014-9420.patch \	34	file://fs-isofs-CVE-2014-9420.patch \
		35	file://udp-CVE-2015-5364_CVE-2015-5366.patch \
35	"	36	"
36	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	37	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
37		38