From 8e23157605049aaf851acdc272e50477b2331fdd Mon Sep 17 00:00:00 2001 From: Tudor Florea Date: Thu, 5 Nov 2015 14:30:40 +0100 Subject: kernel: CVE-2015-5364, CVE-2015-5366 This fixes incorrect processing of checksums in UDP implementation Signed-off-by: Tudor Florea Signed-off-by: Sona Sarmadi --- .../udp_fix_behavior_of_wrong_checksums.patch | 65 ++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 recipes-kernel/linux/linux-hierofalcon-3.19/udp_fix_behavior_of_wrong_checksums.patch (limited to 'recipes-kernel/linux/linux-hierofalcon-3.19') diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/udp_fix_behavior_of_wrong_checksums.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/udp_fix_behavior_of_wrong_checksums.patch new file mode 100644 index 0000000..f4a99ae --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/udp_fix_behavior_of_wrong_checksums.patch @@ -0,0 +1,65 @@ +From beb39db59d14990e401e235faf66a6b9b31240b0 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 30 May 2015 09:16:53 -0700 +Subject: udp: fix behavior of wrong checksums + +[ Upstream commit beb39db59d14990e401e235faf66a6b9b31240b0 ] + +We have two problems in UDP stack related to bogus checksums : + +1) We return -EAGAIN to application even if receive queue is not empty. + This breaks applications using edge trigger epoll() + +2) Under UDP flood, we can loop forever without yielding to other + processes, potentially hanging the host, especially on non SMP. + +This patch is an attempt to make things better. + +We might in the future add extra support for rt applications +wanting to better control time spent doing a recv() in a hostile +environment. For example we could validate checksums before queuing +packets in socket receive queue. + +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Tudor Florea +Upstream-Status: backport + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index d10b7e0..1c92ea6 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1295,10 +1295,8 @@ csum_copy_err: + } + unlock_sock_fast(sk, slow); + +- if (noblock) +- return -EAGAIN; +- +- /* starting over for a new packet */ ++ /* starting over for a new packet, but check if we need to yield */ ++ cond_resched(); + msg->msg_flags &= ~MSG_TRUNC; + goto try_again; + } +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index c2ec416..e51fc3e 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -497,10 +497,8 @@ csum_copy_err: + } + unlock_sock_fast(sk, slow); + +- if (noblock) +- return -EAGAIN; +- +- /* starting over for a new packet */ ++ /* starting over for a new packet, but check if we need to yield */ ++ cond_resched(); + msg->msg_flags &= ~MSG_TRUNC; + goto try_again; + } +-- +cgit v0.10.2 + -- cgit v1.2.3-54-g00ecf