net: CVE-2015-2041

Fixes information leak in llc2_timeout_table. References: http://www.openwall.com/lists/oss-security/2015/02/20/19 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2041 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch /?id=553dd569ff29bc38cebbf9f9dd7c791863ee9113 Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-02-08 14:08:59 +0100
committer: Sona Sarmadi <sona.sarmadi@enea.com> 2016-02-09 08:34:01 +0100
commit: ebec07b828fd5467285dfc068fca0f5d8e28b89a (patch)
tree: ed2f0a6eb5043688eb287766feeac5c18da1b339
parent: 945103b85c6c8289722ca31dcd7c137e77b87186 (diff)
download: meta-fsl-ppc-ebec07b828fd5467285dfc068fca0f5d8e28b89a.tar.gz
2 files changed, 63 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/net-CVE-2015-2041.patch b/recipes-kernel/linux/files/net-CVE-2015-2041.patch
new file mode 100644
index 0000000..a62f2ea
--- /dev/null
+++ b/recipes-kernel/linux/files/net-CVE-2015-2041.patch
@@ -0,0 +1,62 @@
+From 553dd569ff29bc38cebbf9f9dd7c791863ee9113 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sasha.levin@oracle.com>
+Date: Fri, 23 Jan 2015 20:47:00 -0500
+Subject: net: llc: use correct size for sysctl timeout entries
+commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream.
+The timeout entries are sizeof(int) rather than sizeof(long), which
+means that when they were getting read we'd also leak kernel memory
+to userspace along with the timeout values.
+Fixes CVE-2015-2041
+Upstream-Status: Backport
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/llc/sysctl_net_llc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
+index 612a5dd..799bafc 100644
+--- a/net/llc/sysctl_net_llc.c
+++ b/net/llc/sysctl_net_llc.c
+@@ -18,28 +18,28 @@ static struct ctl_table llc2_timeout_table[] = {
+        {
+                .procname       = "ack",
+                .data           = &sysctl_llc2_ack_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_ack_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+        {
+                .procname       = "busy",
+                .data           = &sysctl_llc2_busy_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_busy_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+        {
+                .procname       = "p",
+                .data           = &sysctl_llc2_p_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_p_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+        {
+                .procname       = "rej",
+                .data           = &sysctl_llc2_rej_timeout,
+-               .maxlen         = sizeof(long),
+               .maxlen         = sizeof(sysctl_llc2_rej_timeout),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec_jiffies,
+        },
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 33bcd37..e033320 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -33,6 +33,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://target-CVE-2014-4027.patch \
    file://fs-isofs-CVE-2014-9420.patch \
    file://udp-CVE-2015-5364_CVE-2015-5366.patch \
+    file://net-CVE-2015-2041.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-02-08 14:08:59 +0100
committer	Sona Sarmadi <sona.sarmadi@enea.com>	2016-02-09 08:34:01 +0100
commit	ebec07b828fd5467285dfc068fca0f5d8e28b89a (patch)
tree	ed2f0a6eb5043688eb287766feeac5c18da1b339
parent	945103b85c6c8289722ca31dcd7c137e77b87186 (diff)
download	meta-fsl-ppc-ebec07b828fd5467285dfc068fca0f5d8e28b89a.tar.gz

diff --git a/recipes-kernel/linux/files/net-CVE-2015-2041.patch b/recipes-kernel/linux/files/net-CVE-2015-2041.patch new file mode 100644 index 0000000..a62f2ea --- /dev/null +++ b/recipes-kernel/linux/files/net-CVE-2015-2041.patch
@@ -0,0 +1,62 @@
		1	From 553dd569ff29bc38cebbf9f9dd7c791863ee9113 Mon Sep 17 00:00:00 2001
		2	From: Sasha Levin <sasha.levin@oracle.com>
		3	Date: Fri, 23 Jan 2015 20:47:00 -0500
		4	Subject: net: llc: use correct size for sysctl timeout entries
		5
		6	commit 6b8d9117ccb4f81b1244aafa7bc70ef8fa45fc49 upstream.
		7
		8	The timeout entries are sizeof(int) rather than sizeof(long), which
		9	means that when they were getting read we'd also leak kernel memory
		10	to userspace along with the timeout values.
		11
		12	Fixes CVE-2015-2041
		13	Upstream-Status: Backport
		14
		15	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
		16	Signed-off-by: David S. Miller <davem@davemloft.net>
		17	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		18	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		19	---
		20	net/llc/sysctl_net_llc.c \| 8 ++++----
		21	1 file changed, 4 insertions(+), 4 deletions(-)
		22
		23	diff --git a/net/llc/sysctl_net_llc.c b/net/llc/sysctl_net_llc.c
		24	index 612a5dd..799bafc 100644
		25	--- a/net/llc/sysctl_net_llc.c
		26	+++ b/net/llc/sysctl_net_llc.c
		27	@@ -18,28 +18,28 @@ static struct ctl_table llc2_timeout_table[] = {
		28	{
		29	.procname = "ack",
		30	.data = &sysctl_llc2_ack_timeout,
		31	- .maxlen = sizeof(long),
		32	+ .maxlen = sizeof(sysctl_llc2_ack_timeout),
		33	.mode = 0644,
		34	.proc_handler = proc_dointvec_jiffies,
		35	},
		36	{
		37	.procname = "busy",
		38	.data = &sysctl_llc2_busy_timeout,
		39	- .maxlen = sizeof(long),
		40	+ .maxlen = sizeof(sysctl_llc2_busy_timeout),
		41	.mode = 0644,
		42	.proc_handler = proc_dointvec_jiffies,
		43	},
		44	{
		45	.procname = "p",
		46	.data = &sysctl_llc2_p_timeout,
		47	- .maxlen = sizeof(long),
		48	+ .maxlen = sizeof(sysctl_llc2_p_timeout),
		49	.mode = 0644,
		50	.proc_handler = proc_dointvec_jiffies,
		51	},
		52	{
		53	.procname = "rej",
		54	.data = &sysctl_llc2_rej_timeout,
		55	- .maxlen = sizeof(long),
		56	+ .maxlen = sizeof(sysctl_llc2_rej_timeout),
		57	.mode = 0644,
		58	.proc_handler = proc_dointvec_jiffies,
		59	},
		60	--
		61	1.9.1
		62


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 33bcd37..e033320 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -33,6 +33,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
33	file://target-CVE-2014-4027.patch \	33	file://target-CVE-2014-4027.patch \
34	file://fs-isofs-CVE-2014-9420.patch \	34	file://fs-isofs-CVE-2014-9420.patch \
35	file://udp-CVE-2015-5364_CVE-2015-5366.patch \	35	file://udp-CVE-2015-5364_CVE-2015-5366.patch \
		36	file://net-CVE-2015-2041.patch \
36	"	37	"
37	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	38	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
38		39