From 945103b85c6c8289722ca31dcd7c137e77b87186 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 25 Sep 2015 14:37:00 +0200 Subject: kernel-udp: CVE-2015-5364, CVE-2015-5366 This fixes incorrect processing of checksums in UDP implementation References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5364 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5366 http://www.openwall.com/lists/oss-security/2015/07/10/3 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=a97b54dd69cb05df4c57f5d5b40c761f7835ce4e Signed-off-by: Sona Sarmadi --- .../files/udp-CVE-2015-5364_CVE-2015-5366.patch | 72 ++++++++++++++++++++++ recipes-kernel/linux/linux-qoriq_3.12.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch diff --git a/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch b/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch new file mode 100644 index 0000000..43f2dbf --- /dev/null +++ b/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch @@ -0,0 +1,72 @@ +From a97b54dd69cb05df4c57f5d5b40c761f7835ce4e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 30 May 2015 09:16:53 -0700 +Subject: [PATCH] udp: fix behavior of wrong checksums + +[ Upstream commit beb39db59d14990e401e235faf66a6b9b31240b0 ] + +We have two problems in UDP stack related to bogus checksums : + +1) We return -EAGAIN to application even if receive queue is not empty. + This breaks applications using edge trigger epoll() + +2) Under UDP flood, we can loop forever without yielding to other + processes, potentially hanging the host, especially on non SMP. + +This patch is an attempt to make things better. + +We might in the future add extra support for rt applications +wanting to better control time spent doing a recv() in a hostile +environment. For example we could validate checksums before queuing +packets in socket receive queue. + +Fixes CVE-2015-5364 and CVE-2015-5366. +Upstream-Status: backport + +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +Signed-off-by: Sona Sarmadi +--- + net/ipv4/udp.c | 6 ++---- + net/ipv6/udp.c | 6 ++---- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 6ca9907..268ed25 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1295,10 +1295,8 @@ csum_copy_err: + } + unlock_sock_fast(sk, slow); + +- if (noblock) +- return -EAGAIN; +- +- /* starting over for a new packet */ ++ /* starting over for a new packet, but check if we need to yield */ ++ cond_resched(); + msg->msg_flags &= ~MSG_TRUNC; + goto try_again; + } +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 3d2758d..e09ca28 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -495,10 +495,8 @@ csum_copy_err: + } + unlock_sock_fast(sk, slow); + +- if (noblock) +- return -EAGAIN; +- +- /* starting over for a new packet */ ++ /* starting over for a new packet, but check if we need to yield */ ++ cond_resched(); + msg->msg_flags &= ~MSG_TRUNC; + goto try_again; + } +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 0a2883f..33bcd37 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -32,6 +32,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ file://futex-CVE-2014-3153.patch \ file://target-CVE-2014-4027.patch \ file://fs-isofs-CVE-2014-9420.patch \ + file://udp-CVE-2015-5364_CVE-2015-5366.patch \ " SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" -- cgit v1.2.3-54-g00ecf