From d063ec68425094eebf2e5d50e8f410456a8f5143 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 27 Jan 2015 14:04:10 +0100 Subject: sctp: CVE-2014-4667 sk_ack_backlog wrap-around problem Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4667 Signed-off-by: Sona Sarmadi --- .../linux/files/sctp-CVE-2014-4667.patch | 51 ++++++++++++++++++++++ recipes-kernel/linux/linux-qoriq_3.12.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 recipes-kernel/linux/files/sctp-CVE-2014-4667.patch (limited to 'recipes-kernel/linux') diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch new file mode 100644 index 0000000..e7b1228 --- /dev/null +++ b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch @@ -0,0 +1,51 @@ +From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001 +From: Xufeng Zhang +Date: Thu, 12 Jun 2014 10:53:36 +0800 +Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem + +[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ] + +Consider the scenario: +For a TCP-style socket, while processing the COOKIE_ECHO chunk in +sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check, +a new association would be created in sctp_unpack_cookie(), but afterwards, +some processing maybe failed, and sctp_association_free() will be called to +free the previously allocated association, in sctp_association_free(), +sk_ack_backlog value is decremented for this socket, since the initial +value for sk_ack_backlog is 0, after the decrement, it will be 65535, +a wrap-around problem happens, and if we want to establish new associations +afterward in the same socket, ABORT would be triggered since sctp deem the +accept queue as full. +Fix this issue by only decrementing sk_ack_backlog for associations in +the endpoint's list. + +Fixes CVE-2014-4667 +Upstream-Status: Backport + +Fix-suggested-by: Neil Horman +Signed-off-by: Xufeng Zhang +Acked-by: Daniel Borkmann +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +Signed-off-by: Sona Sarmadi +--- + net/sctp/associola.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/associola.c b/net/sctp/associola.c +index cef5099..f6d6dcd 100644 +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc) + /* Only real associations count against the endpoint, so + * don't bother for if this is a temporary association. + */ +- if (!asoc->temp) { ++ if (!list_empty(&asoc->asocs)) { + list_del(&asoc->asocs); + + /* Decrement the backlog value for a TCP-style listening +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 90ccedd..2cd8ce9 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -25,6 +25,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ file://auditsc-CVE-2014-3917.patch \ file://0001-ALSA-CVE-2014-4652.patch \ file://0002-ALSA-CVE-2014-4653.patch \ + file://sctp-CVE-2014-4667.patch \ " SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" -- cgit v1.2.3-54-g00ecf