linux-qoriq: upgrade to 4.1

The main features are: * Linux kernel 4.1.8 * ARM A7 (AARCH32), A53 and A57 (AARCH64), Little Endian (default) * Power Architecture e500mc, e5500, e6500 * Multicore SMP support and multithread (e6500) * 32-bit effective kernel addressing [e500mc, e5500, A57] * 64-bit effective addressing [e6500, A53, A57] * Huge Pages (hugetlbfs) * Linux Real-Time (RT) [P4080, B4860, LS1021A] * Kernel-based Virtual Machine (KVM) * Libvirt 1.2.19 * Linux Containers (LXC) 1.1.4 function support Detailed commit log can be found at: http://git.freescale.com/git/cgit.cgi/ppc/sdk/linux.git/log/?h=sdk-v2.0.x Signed-off-by: Ting Liu <ting.liu@nxp.com>
author: Ting Liu <ting.liu@nxp.com> 2016-06-16 17:07:46 +0800
committer: Zhenhua Luo <zhenhua.luo@nxp.com> 2016-06-23 10:41:54 +0800
commit: b1fcfb28a4d1b7ddf9b393b697d76256cc52f760 (patch)
tree: 63a39e93a66fe2521549378e6c0568b08cbc99c2
parent: ad53934bfb7602362eff7fc27878ca0e6b42882a (diff)
download: meta-fsl-ppc-b1fcfb28a4d1b7ddf9b393b697d76256cc52f760.tar.gz
4 files changed, 3 insertions, 265 deletions
diff --git a/recipes-kernel/linux/files/0001-powerpc-Align-TOC-to-256-bytes.patch b/recipes-kernel/linux/files/0001-powerpc-Align-TOC-to-256-bytes.patch
deleted file mode 100644
index 2131c9d..0000000
--- a/recipes-kernel/linux/files/0001-powerpc-Align-TOC-to-256-bytes.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 7d4d16a6ccdd6d965b84284262a67d5b63426d50 Mon Sep 17 00:00:00 2001
-From: Zhenhua Luo <zhenhua.luo@freescale.com>
-Date: Mon, 9 Nov 2015 04:36:29 -0600
-Subject: [PATCH] powerpc: Align TOC to 256 bytes
-Recent toolchains(gcc-5.2) force the TOC to be 256 byte aligned. We need
-to enforce this alignment in our linker script, otherwise pointers
-to our TOC variables (__toc_start, __prom_init_toc_start) could
-be incorrect.
-If they are bad, we die a few hundred instructions into boot.
-Upstream-Status: Backport
-Backport from https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5e95235
-Signed-off-by: Zhenhua Luo <zhenhua.luo@freescale.com>
---
- arch/powerpc/kernel/vmlinux.lds.S | 2 ++
- 1 file changed, 2 insertions(+)
-diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
-index f096e72..3266864 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
-+++ b/arch/powerpc/kernel/vmlinux.lds.S
-@@ -213,6 +213,8 @@ SECTIONS
-                *(.opd)
-        }
- 
-+       . = ALIGN(256);
-+
-        .got : AT(ADDR(.got) - LOAD_OFFSET) {
-                __toc_start = .;
- #ifndef CONFIG_RELOCATABLE
-- 
-2.3.3
diff --git a/recipes-kernel/linux/files/module-remove-MODULE_GENERIC_TABLE.patch b/recipes-kernel/linux/files/module-remove-MODULE_GENERIC_TABLE.patch
deleted file mode 100644
index 5a67155..0000000
--- a/recipes-kernel/linux/files/module-remove-MODULE_GENERIC_TABLE.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-module: remove MODULE_GENERIC_TABLE
-MODULE_DEVICE_TABLE() calles MODULE_GENERIC_TABLE(); make it do the
-work directly.  This also removes a wart introduced in the last patch,
-where the alias is defined to be an unknown struct type "struct
-type##__##name##_device_id" instead of "struct type##_device_id" (it's
-an extern so GCC doesn't care, but it's wrong).
-The other user of MODULE_GENERIC_TABLE (ISAPNP_CARD_TABLE) is unused,
-so delete it.
-<Backport from cff26a51da5d206d3baf871e75778da44710219d>
-Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
-Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com>
-Upstream-Status: Backport
---
- include/linux/isapnp.h |  4 ----
- include/linux/module.h | 19 ++++++++-----------
- 2 files changed, 8 insertions(+), 15 deletions(-)
-diff --git a/include/linux/isapnp.h b/include/linux/isapnp.h
-index e2d28b0..3c77bf9 100644
--- a/include/linux/isapnp.h
-+++ b/include/linux/isapnp.h
-@@ -56,10 +56,6 @@
- #define ISAPNP_DEVICE_ID(_va, _vb, _vc, _function) \
-                { .vendor = ISAPNP_VENDOR(_va, _vb, _vc), .function = ISAPNP_FUNCTION(_function) }
- 
-/* export used IDs outside module */
-#define ISAPNP_CARD_TABLE(name) \
-               MODULE_GENERIC_TABLE(isapnp_card, name)
-
- struct isapnp_card_id {
-        unsigned long driver_data;      /* data private to the driver */
-        unsigned short card_vendor, card_device;
-diff --git a/include/linux/module.h b/include/linux/module.h
-index 54aef1b..a9f6812 100644
--- a/include/linux/module.h
-+++ b/include/linux/module.h
-@@ -83,15 +83,6 @@ void sort_extable(struct exception_table_entry *start,
- void sort_main_extable(void);
- void trim_init_extable(struct module *m);
- 
-#ifdef MODULE
-#define MODULE_GENERIC_TABLE(gtype,name)                       \
-extern const struct gtype##_id __mod_##gtype##_table           \
-  __attribute__ ((unused, alias(__stringify(name))))
-
-#else  /* !MODULE */
-#define MODULE_GENERIC_TABLE(gtype,name)
-#endif
-
- /* Generic info of form tag = "info" */
- #define MODULE_INFO(tag, info) __MODULE_INFO(tag, tag, info)
- 
-@@ -142,8 +133,14 @@ extern const struct gtype##_id __mod_##gtype##_table               \
- /* What your module does. */
- #define MODULE_DESCRIPTION(_description) MODULE_INFO(description, _description)
- 
-#define MODULE_DEVICE_TABLE(type,name)         \
-  MODULE_GENERIC_TABLE(type##__##name##_device, name)
-+#ifdef MODULE
-+/* Creates an alias so file2alias.c can find device table. */
-+#define MODULE_DEVICE_TABLE(type, name)                                        \
-+  extern const struct type##_device_id __mod_##type##__##name##_device_table \
-+  __attribute__ ((unused, alias(__stringify(name))))
-+#else  /* !MODULE */
-+#define MODULE_DEVICE_TABLE(type, name)
-+#endif
- 
- /* Version of form [<epoch>:]<version>[-<extra-version>].
-    Or for CVS/RCS ID version, everything but the number is stripped.
-- 
-2.5.0
diff --git a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
deleted file mode 100644
index ddcb6c5..0000000
--- a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 00c53b02cb01976b35d37670a4b5c5d7a6ad3c62 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <dborkman@redhat.com>
-Date: Mon, 3 Mar 2014 17:23:04 +0100
-Subject: [PATCH] net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is
- AUTH capable
-[ Upstream commit ec0223ec48a90cb605244b45f7c62de856403729 ]
-RFC4895 introduced AUTH chunks for SCTP; during the SCTP
-handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
-being optional though):
-  ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
-  <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
-  -------------------- COOKIE-ECHO -------------------->
-  <-------------------- COOKIE-ACK ---------------------
-A special case is when an endpoint requires COOKIE-ECHO
-chunks to be authenticated:
-  ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
-  <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
-  ------------------ AUTH; COOKIE-ECHO ---------------->
-  <-------------------- COOKIE-ACK ---------------------
-RFC4895, section 6.3. Receiving Authenticated Chunks says:
-  The receiver MUST use the HMAC algorithm indicated in
-  the HMAC Identifier field. If this algorithm was not
-  specified by the receiver in the HMAC-ALGO parameter in
-  the INIT or INIT-ACK chunk during association setup, the
-  AUTH chunk and all the chunks after it MUST be discarded
-  and an ERROR chunk SHOULD be sent with the error cause
-  defined in Section 4.1. [...] If no endpoint pair shared
-  key has been configured for that Shared Key Identifier,
-  all authenticated chunks MUST be silently discarded. [...]
-  When an endpoint requires COOKIE-ECHO chunks to be
-  authenticated, some special procedures have to be followed
-  because the reception of a COOKIE-ECHO chunk might result
-  in the creation of an SCTP association. If a packet arrives
-  containing an AUTH chunk as a first chunk, a COOKIE-ECHO
-  chunk as the second chunk, and possibly more chunks after
-  them, and the receiver does not have an STCB for that
-  packet, then authentication is based on the contents of
-  the COOKIE-ECHO chunk. In this situation, the receiver MUST
-  authenticate the chunks in the packet by using the RANDOM
-  parameters, CHUNKS parameters and HMAC_ALGO parameters
-  obtained from the COOKIE-ECHO chunk, and possibly a local
-  shared secret as inputs to the authentication procedure
-  specified in Section 6.3. If authentication fails, then
-  the packet is discarded. If the authentication is successful,
-  the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
-  MUST be processed. If the receiver has an STCB, it MUST
-  process the AUTH chunk as described above using the STCB
-  from the existing association to authenticate the
-  COOKIE-ECHO chunk and all the chunks after it. [...]
-Commit bbd0d59809f9 introduced the possibility to receive
-and verification of AUTH chunk, including the edge case for
-authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
-the function sctp_sf_do_5_1D_ce() handles processing,
-unpacks and creates a new association if it passed sanity
-checks and also tests for authentication chunks being
-present. After a new association has been processed, it
-invokes sctp_process_init() on the new association and
-walks through the parameter list it received from the INIT
-chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
-and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
-meta data (peer_random, peer_hmacs, peer_chunks) in case
-sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
-SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
-peer_random != NULL and peer_hmacs != NULL the peer is to be
-assumed asoc->peer.auth_capable=1, in any other case
-asoc->peer.auth_capable=0.
-Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
-available, we set up a fake auth chunk and pass that on to
-sctp_sf_authenticate(), which at latest in
-sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
-at position 0..0008 when setting up the crypto key in
-crypto_hash_setkey() by using asoc->asoc_shared_key that is
-NULL as condition key_id == asoc->active_key_id is true if
-the AUTH chunk was injected correctly from remote. This
-happens no matter what net.sctp.auth_enable sysctl says.
-The fix is to check for net->sctp.auth_enable and for
-asoc->peer.auth_capable before doing any operations like
-sctp_sf_authenticate() as no key is activated in
-sctp_auth_asoc_init_active_key() for each case.
-Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
-passed from the INIT chunk was not used in the AUTH chunk, we
-SHOULD send an error; however in this case it would be better
-to just silently discard such a maliciously prepared handshake
-as we didn't even receive a parameter at all. Also, as our
-endpoint has no shared key configured, section 6.3 says that
-MUST silently discard, which we are doing from now onwards.
-Before calling sctp_sf_pdiscard(), we need not only to free
-the association, but also the chunk->auth_chunk skb, as
-commit bbd0d59809f9 created a skb clone in that case.
-I have tested this locally by using netfilter's nfqueue and
-re-injecting packets into the local stack after maliciously
-modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
-and the SCTP packet containing the COOKIE_ECHO (injecting
-AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
-This fixes CVE-2014-0101
-Upstream-Status: Backport
-Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Cc: Vlad Yasevich <yasevich@gmail.com>
-Cc: Neil Horman <nhorman@tuxdriver.com>
-Acked-by: Vlad Yasevich <vyasevich@gmail.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- net/sctp/sm_statefuns.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
-index dfe3f36..56ebe71 100644
--- a/net/sctp/sm_statefuns.c
-+++ b/net/sctp/sm_statefuns.c
-@@ -768,6 +768,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
-                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-                }
- 
-+               /* Make sure that we and the peer are AUTH capable */
-+               if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
-+                       kfree_skb(chunk->auth_chunk);
-+                       sctp_association_free(new_asoc);
-+                       return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-+               }
-+
-                /* set-up our fake chunk so that we can process it */
-                auth.skb = chunk->auth_chunk;
-                auth.asoc = chunk->asoc;
-- 
-1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb
index 533225d..87eebbc 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_4.1.bb
@@ -6,14 +6,11 @@ SECTION = "kernel"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"
-SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v1.9.x \
+SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v2.0.x \
    file://modify-defconfig-t1040-nr-cpus.patch \
-    file://net-sctp-CVE-2014-0101.patch \
-    file://0001-powerpc-Align-TOC-to-256-bytes.patch \
    file://fix-the-compile-issue-under-gcc6.patch \
-    file://module-remove-MODULE_GENERIC_TABLE.patch \
 "
-SRCREV = "43cecda943a6c40a833b588801b0929e8bd48813"
+SRCREV = "bd51baffc04ecc73f933aee1c3a37c8b44b889a7"
 KSRC ?= ""
 S = '${@base_conditional("KSRC", "", "${WORKDIR}/git", "${KSRC}", d)}'
@@ -39,7 +36,7 @@ do_configure_prepend() {
            ${S}/scripts/kconfig/merge_config.sh -m .config ${WORKDIR}/${deltacfg}
        elif [ -f "${S}/arch/${ARCH}/configs/${deltacfg}" ]; then
            ${S}/scripts/kconfig/merge_config.sh -m .config \
-                ${S}/arch/powerpc/configs/${deltacfg}
+                ${S}/arch/${ARCH}/configs/${deltacfg}
        fi
    done
author	Ting Liu <ting.liu@nxp.com>	2016-06-16 17:07:46 +0800
committer	Zhenhua Luo <zhenhua.luo@nxp.com>	2016-06-23 10:41:54 +0800
commit	b1fcfb28a4d1b7ddf9b393b697d76256cc52f760 (patch)
tree	63a39e93a66fe2521549378e6c0568b08cbc99c2
parent	ad53934bfb7602362eff7fc27878ca0e6b42882a (diff)
download	meta-fsl-ppc-b1fcfb28a4d1b7ddf9b393b697d76256cc52f760.tar.gz

diff --git a/recipes-kernel/linux/files/0001-powerpc-Align-TOC-to-256-bytes.patch b/recipes-kernel/linux/files/0001-powerpc-Align-TOC-to-256-bytes.patch deleted file mode 100644 index 2131c9d..0000000 --- a/recipes-kernel/linux/files/0001-powerpc-Align-TOC-to-256-bytes.patch +++ /dev/null
@@ -1,37 +0,0 @@
1	From 7d4d16a6ccdd6d965b84284262a67d5b63426d50 Mon Sep 17 00:00:00 2001
2	From: Zhenhua Luo <zhenhua.luo@freescale.com>
3	Date: Mon, 9 Nov 2015 04:36:29 -0600
4	Subject: [PATCH] powerpc: Align TOC to 256 bytes
5
6	Recent toolchains(gcc-5.2) force the TOC to be 256 byte aligned. We need
7	to enforce this alignment in our linker script, otherwise pointers
8	to our TOC variables (__toc_start, __prom_init_toc_start) could
9	be incorrect.
10
11	If they are bad, we die a few hundred instructions into boot.
12
13	Upstream-Status: Backport
14
15	Backport from https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5e95235
16
17	Signed-off-by: Zhenhua Luo <zhenhua.luo@freescale.com>
18	---
19	arch/powerpc/kernel/vmlinux.lds.S \| 2 ++
20	1 file changed, 2 insertions(+)
21
22	diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
23	index f096e72..3266864 100644
24	--- a/arch/powerpc/kernel/vmlinux.lds.S
25	+++ b/arch/powerpc/kernel/vmlinux.lds.S
26	@@ -213,6 +213,8 @@ SECTIONS
27	*(.opd)
28	}
29
30	+ . = ALIGN(256);
31	+
32	.got : AT(ADDR(.got) - LOAD_OFFSET) {
33	__toc_start = .;
34	#ifndef CONFIG_RELOCATABLE
35	--
36	2.3.3
37


diff --git a/recipes-kernel/linux/files/module-remove-MODULE_GENERIC_TABLE.patch b/recipes-kernel/linux/files/module-remove-MODULE_GENERIC_TABLE.patch deleted file mode 100644 index 5a67155..0000000 --- a/recipes-kernel/linux/files/module-remove-MODULE_GENERIC_TABLE.patch +++ /dev/null
@@ -1,77 +0,0 @@
1	module: remove MODULE_GENERIC_TABLE
2
3	MODULE_DEVICE_TABLE() calles MODULE_GENERIC_TABLE(); make it do the
4	work directly. This also removes a wart introduced in the last patch,
5	where the alias is defined to be an unknown struct type "struct
6	type##__##name##_device_id" instead of "struct type##_device_id" (it's
7	an extern so GCC doesn't care, but it's wrong).
8
9	The other user of MODULE_GENERIC_TABLE (ISAPNP_CARD_TABLE) is unused,
10	so delete it.
11
12	<Backport from cff26a51da5d206d3baf871e75778da44710219d>
13
14	Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
15	Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com>
16
17	Upstream-Status: Backport
18	---
19	include/linux/isapnp.h \| 4 ----
20	include/linux/module.h \| 19 ++++++++-----------
21	2 files changed, 8 insertions(+), 15 deletions(-)
22
23	diff --git a/include/linux/isapnp.h b/include/linux/isapnp.h
24	index e2d28b0..3c77bf9 100644
25	--- a/include/linux/isapnp.h
26	+++ b/include/linux/isapnp.h
27	@@ -56,10 +56,6 @@
28	#define ISAPNP_DEVICE_ID(_va, _vb, _vc, _function) \
29	{ .vendor = ISAPNP_VENDOR(_va, _vb, _vc), .function = ISAPNP_FUNCTION(_function) }
30
31	-/* export used IDs outside module */
32	-#define ISAPNP_CARD_TABLE(name) \
33	- MODULE_GENERIC_TABLE(isapnp_card, name)
34	-
35	struct isapnp_card_id {
36	unsigned long driver_data; /* data private to the driver */
37	unsigned short card_vendor, card_device;
38	diff --git a/include/linux/module.h b/include/linux/module.h
39	index 54aef1b..a9f6812 100644
40	--- a/include/linux/module.h
41	+++ b/include/linux/module.h
42	@@ -83,15 +83,6 @@ void sort_extable(struct exception_table_entry *start,
43	void sort_main_extable(void);
44	void trim_init_extable(struct module *m);
45
46	-#ifdef MODULE
47	-#define MODULE_GENERIC_TABLE(gtype,name) \
48	-extern const struct gtype##_id __mod_##gtype##_table \
49	- __attribute__ ((unused, alias(__stringify(name))))
50	-
51	-#else /* !MODULE */
52	-#define MODULE_GENERIC_TABLE(gtype,name)
53	-#endif
54	-
55	/* Generic info of form tag = "info" */
56	#define MODULE_INFO(tag, info) __MODULE_INFO(tag, tag, info)
57
58	@@ -142,8 +133,14 @@ extern const struct gtype##_id __mod_##gtype##_table \
59	/* What your module does. */
60	#define MODULE_DESCRIPTION(_description) MODULE_INFO(description, _description)
61
62	-#define MODULE_DEVICE_TABLE(type,name) \
63	- MODULE_GENERIC_TABLE(type##__##name##_device, name)
64	+#ifdef MODULE
65	+/* Creates an alias so file2alias.c can find device table. */
66	+#define MODULE_DEVICE_TABLE(type, name) \
67	+ extern const struct type##_device_id __mod_##type##__##name##_device_table \
68	+ __attribute__ ((unused, alias(__stringify(name))))
69	+#else /* !MODULE */
70	+#define MODULE_DEVICE_TABLE(type, name)
71	+#endif
72
73	/* Version of form [<epoch>:]<version>[-<extra-version>].
74	Or for CVS/RCS ID version, everything but the number is stripped.
75	--
76	2.5.0
77


diff --git a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch deleted file mode 100644 index ddcb6c5..0000000 --- a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch +++ /dev/null
@@ -1,145 +0,0 @@
1	From 00c53b02cb01976b35d37670a4b5c5d7a6ad3c62 Mon Sep 17 00:00:00 2001
2	From: Daniel Borkmann <dborkman@redhat.com>
3	Date: Mon, 3 Mar 2014 17:23:04 +0100
4	Subject: [PATCH] net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is
5	AUTH capable
6
7	[ Upstream commit ec0223ec48a90cb605244b45f7c62de856403729 ]
8
9	RFC4895 introduced AUTH chunks for SCTP; during the SCTP
10	handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
11	being optional though):
12
13	---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
14	<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
15	-------------------- COOKIE-ECHO -------------------->
16	<-------------------- COOKIE-ACK ---------------------
17
18	A special case is when an endpoint requires COOKIE-ECHO
19	chunks to be authenticated:
20
21	---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
22	<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
23	------------------ AUTH; COOKIE-ECHO ---------------->
24	<-------------------- COOKIE-ACK ---------------------
25
26	RFC4895, section 6.3. Receiving Authenticated Chunks says:
27
28	The receiver MUST use the HMAC algorithm indicated in
29	the HMAC Identifier field. If this algorithm was not
30	specified by the receiver in the HMAC-ALGO parameter in
31	the INIT or INIT-ACK chunk during association setup, the
32	AUTH chunk and all the chunks after it MUST be discarded
33	and an ERROR chunk SHOULD be sent with the error cause
34	defined in Section 4.1. [...] If no endpoint pair shared
35	key has been configured for that Shared Key Identifier,
36	all authenticated chunks MUST be silently discarded. [...]
37
38	When an endpoint requires COOKIE-ECHO chunks to be
39	authenticated, some special procedures have to be followed
40	because the reception of a COOKIE-ECHO chunk might result
41	in the creation of an SCTP association. If a packet arrives
42	containing an AUTH chunk as a first chunk, a COOKIE-ECHO
43	chunk as the second chunk, and possibly more chunks after
44	them, and the receiver does not have an STCB for that
45	packet, then authentication is based on the contents of
46	the COOKIE-ECHO chunk. In this situation, the receiver MUST
47	authenticate the chunks in the packet by using the RANDOM
48	parameters, CHUNKS parameters and HMAC_ALGO parameters
49	obtained from the COOKIE-ECHO chunk, and possibly a local
50	shared secret as inputs to the authentication procedure
51	specified in Section 6.3. If authentication fails, then
52	the packet is discarded. If the authentication is successful,
53	the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
54	MUST be processed. If the receiver has an STCB, it MUST
55	process the AUTH chunk as described above using the STCB
56	from the existing association to authenticate the
57	COOKIE-ECHO chunk and all the chunks after it. [...]
58
59	Commit bbd0d59809f9 introduced the possibility to receive
60	and verification of AUTH chunk, including the edge case for
61	authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
62	the function sctp_sf_do_5_1D_ce() handles processing,
63	unpacks and creates a new association if it passed sanity
64	checks and also tests for authentication chunks being
65	present. After a new association has been processed, it
66	invokes sctp_process_init() on the new association and
67	walks through the parameter list it received from the INIT
68	chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
69	and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
70	meta data (peer_random, peer_hmacs, peer_chunks) in case
71	sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
72	SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
73	peer_random != NULL and peer_hmacs != NULL the peer is to be
74	assumed asoc->peer.auth_capable=1, in any other case
75	asoc->peer.auth_capable=0.
76
77	Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
78	available, we set up a fake auth chunk and pass that on to
79	sctp_sf_authenticate(), which at latest in
80	sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
81	at position 0..0008 when setting up the crypto key in
82	crypto_hash_setkey() by using asoc->asoc_shared_key that is
83	NULL as condition key_id == asoc->active_key_id is true if
84	the AUTH chunk was injected correctly from remote. This
85	happens no matter what net.sctp.auth_enable sysctl says.
86
87	The fix is to check for net->sctp.auth_enable and for
88	asoc->peer.auth_capable before doing any operations like
89	sctp_sf_authenticate() as no key is activated in
90	sctp_auth_asoc_init_active_key() for each case.
91
92	Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
93	passed from the INIT chunk was not used in the AUTH chunk, we
94	SHOULD send an error; however in this case it would be better
95	to just silently discard such a maliciously prepared handshake
96	as we didn't even receive a parameter at all. Also, as our
97	endpoint has no shared key configured, section 6.3 says that
98	MUST silently discard, which we are doing from now onwards.
99
100	Before calling sctp_sf_pdiscard(), we need not only to free
101	the association, but also the chunk->auth_chunk skb, as
102	commit bbd0d59809f9 created a skb clone in that case.
103
104	I have tested this locally by using netfilter's nfqueue and
105	re-injecting packets into the local stack after maliciously
106	modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
107	and the SCTP packet containing the COOKIE_ECHO (injecting
108	AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
109
110	This fixes CVE-2014-0101
111	Upstream-Status: Backport
112
113	Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
114	Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
115	Cc: Vlad Yasevich <yasevich@gmail.com>
116	Cc: Neil Horman <nhorman@tuxdriver.com>
117	Acked-by: Vlad Yasevich <vyasevich@gmail.com>
118	Signed-off-by: David S. Miller <davem@davemloft.net>
119	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
120	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
121	---
122	net/sctp/sm_statefuns.c \| 7 +++++++
123	1 file changed, 7 insertions(+)
124
125	diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
126	index dfe3f36..56ebe71 100644
127	--- a/net/sctp/sm_statefuns.c
128	+++ b/net/sctp/sm_statefuns.c
129	@@ -768,6 +768,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
130	return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
131	}
132
133	+ /* Make sure that we and the peer are AUTH capable */
134	+ if (!net->sctp.auth_enable \|\| !new_asoc->peer.auth_capable) {
135	+ kfree_skb(chunk->auth_chunk);
136	+ sctp_association_free(new_asoc);
137	+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
138	+ }
139	+
140	/* set-up our fake chunk so that we can process it */
141	auth.skb = chunk->auth_chunk;
142	auth.asoc = chunk->asoc;
143	--
144	1.9.1
145


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_4.1.bb index 533225d..87eebbc 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_4.1.bb
@@ -6,14 +6,11 @@ SECTION = "kernel"
6	LICENSE = "GPLv2"	6	LICENSE = "GPLv2"
7	LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"	7	LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"
8		8
9	SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v1.9.x \	9	SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;branch=sdk-v2.0.x \
10	file://modify-defconfig-t1040-nr-cpus.patch \	10	file://modify-defconfig-t1040-nr-cpus.patch \
11	file://net-sctp-CVE-2014-0101.patch \
12	file://0001-powerpc-Align-TOC-to-256-bytes.patch \
13	file://fix-the-compile-issue-under-gcc6.patch \	11	file://fix-the-compile-issue-under-gcc6.patch \
14	file://module-remove-MODULE_GENERIC_TABLE.patch \
15	"	12	"
16	SRCREV = "43cecda943a6c40a833b588801b0929e8bd48813"	13	SRCREV = "bd51baffc04ecc73f933aee1c3a37c8b44b889a7"
17		14
18	KSRC ?= ""	15	KSRC ?= ""
19	S = '${@base_conditional("KSRC", "", "${WORKDIR}/git", "${KSRC}", d)}'	16	S = '${@base_conditional("KSRC", "", "${WORKDIR}/git", "${KSRC}", d)}'
@@ -39,7 +36,7 @@ do_configure_prepend() {
39	${S}/scripts/kconfig/merge_config.sh -m .config ${WORKDIR}/${deltacfg}	36	${S}/scripts/kconfig/merge_config.sh -m .config ${WORKDIR}/${deltacfg}
40	elif [ -f "${S}/arch/${ARCH}/configs/${deltacfg}" ]; then	37	elif [ -f "${S}/arch/${ARCH}/configs/${deltacfg}" ]; then
41	${S}/scripts/kconfig/merge_config.sh -m .config \	38	${S}/scripts/kconfig/merge_config.sh -m .config \
42	${S}/arch/powerpc/configs/${deltacfg}	39	${S}/arch/${ARCH}/configs/${deltacfg}
43	fi	40	fi
44	done	41	done
45		42