diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-11-12 12:15:28 +0100 |
|---|---|---|
| committer | Tudor Florea <tudor.florea@enea.com> | 2015-11-13 01:04:23 +0100 |
| commit | e163d6cf5d6a525676f566841d6b898ff0c004fb (patch) | |
| tree | 8cda41dc2f23b586ae24998ed57120d7334a3bb1 /recipes-kernel | |
| parent | 8e23157605049aaf851acdc272e50477b2331fdd (diff) | |
| download | meta-hierofalcon-e163d6cf5d6a525676f566841d6b898ff0c004fb.tar.gz | |
kernel: net: rds: CVE-2015-6937
Fixes NULL pointer dereference in net/rds/connection.c
Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
?id=74e98eb085889b0d2d4908f59f6e00026063014f
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6937
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'recipes-kernel')
| -rw-r--r-- | recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-6937.patch | 83 | ||||
| -rw-r--r-- | recipes-kernel/linux/linux-hierofalcon_3.19.bb | 1 | ||||
| -rw-r--r-- | recipes-kernel/linux/linux-hierofalcon_4.1.bb | 1 |
3 files changed, 85 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-6937.patch b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-6937.patch new file mode 100644 index 0000000..e4c7ce1 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/RDS-CVE-2015-6937.patch | |||
| @@ -0,0 +1,83 @@ | |||
| 1 | From 74e98eb085889b0d2d4908f59f6e00026063014f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Sasha Levin <sasha.levin@oracle.com> | ||
| 3 | Date: Tue, 8 Sep 2015 10:53:40 -0400 | ||
| 4 | Subject: [PATCH] RDS: verify the underlying transport exists before creating a | ||
| 5 | connection | ||
| 6 | |||
| 7 | There was no verification that an underlying transport exists when creating | ||
| 8 | a connection, this would cause dereferencing a NULL ptr. | ||
| 9 | |||
| 10 | It might happen on sockets that weren't properly bound before attempting to | ||
| 11 | send a message, which will cause a NULL ptr deref: | ||
| 12 | |||
| 13 | [135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN | ||
| 14 | [135546.051270] Modules linked in: | ||
| 15 | [135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527 | ||
| 16 | [135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000 | ||
| 17 | [135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194) | ||
| 18 | [135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202 | ||
| 19 | [135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000 | ||
| 20 | [135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038 | ||
| 21 | [135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000 | ||
| 22 | [135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000 | ||
| 23 | [135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000 | ||
| 24 | [135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000 | ||
| 25 | [135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b | ||
| 26 | [135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0 | ||
| 27 | [135546.064723] Stack: | ||
| 28 | [135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008 | ||
| 29 | [135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342 | ||
| 30 | [135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00 | ||
| 31 | [135546.068629] Call Trace: | ||
| 32 | [135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134) | ||
| 33 | [135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298) | ||
| 34 | [135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278) | ||
| 35 | [135546.071981] rds_sendmsg (net/rds/send.c:1058) | ||
| 36 | [135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38) | ||
| 37 | [135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298) | ||
| 38 | [135546.074577] ? rds_send_drop_to (net/rds/send.c:976) | ||
| 39 | [135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795) | ||
| 40 | [135546.076349] ? __might_fault (mm/memory.c:3795) | ||
| 41 | [135546.077179] ? rds_send_drop_to (net/rds/send.c:976) | ||
| 42 | [135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620) | ||
| 43 | [135546.078856] SYSC_sendto (net/socket.c:1657) | ||
| 44 | [135546.079596] ? SYSC_connect (net/socket.c:1628) | ||
| 45 | [135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926) | ||
| 46 | [135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674) | ||
| 47 | [135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749) | ||
| 48 | [135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16) | ||
| 49 | [135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16) | ||
| 50 | [135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749) | ||
| 51 | [135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1 | ||
| 52 | |||
| 53 | Fixes CVE-2015-6937. | ||
| 54 | Upstream-Status: Backport | ||
| 55 | |||
| 56 | Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> | ||
| 57 | Signed-off-by: Sasha Levin <sasha.levin@oracle.com> | ||
| 58 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 59 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 60 | --- | ||
| 61 | net/rds/connection.c | 6 ++++++ | ||
| 62 | 1 file changed, 6 insertions(+) | ||
| 63 | |||
| 64 | diff --git a/net/rds/connection.c b/net/rds/connection.c | ||
| 65 | index 9b2de5e..49adeef 100644 | ||
| 66 | --- a/net/rds/connection.c | ||
| 67 | +++ b/net/rds/connection.c | ||
| 68 | @@ -190,6 +190,12 @@ new_conn: | ||
| 69 | } | ||
| 70 | } | ||
| 71 | |||
| 72 | + if (trans == NULL) { | ||
| 73 | + kmem_cache_free(rds_conn_slab, conn); | ||
| 74 | + conn = ERR_PTR(-ENODEV); | ||
| 75 | + goto out; | ||
| 76 | + } | ||
| 77 | + | ||
| 78 | conn->c_trans = trans; | ||
| 79 | |||
| 80 | ret = trans->conn_alloc(conn, gfp); | ||
| 81 | -- | ||
| 82 | 1.9.1 | ||
| 83 | |||
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 731c545..45df7b3 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb | |||
| @@ -17,6 +17,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 | |||
| 17 | file://defconfig \ | 17 | file://defconfig \ |
| 18 | file://keys-CVE-2015-1333.patch \ | 18 | file://keys-CVE-2015-1333.patch \ |
| 19 | file://udp_fix_behavior_of_wrong_checksums.patch \ | 19 | file://udp_fix_behavior_of_wrong_checksums.patch \ |
| 20 | file://RDS-CVE-2015-6937.patch \ | ||
| 20 | " | 21 | " |
| 21 | 22 | ||
| 22 | S = "${WORKDIR}/git" | 23 | S = "${WORKDIR}/git" |
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index 1140927..85e5fe3 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb | |||
| @@ -22,6 +22,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 | |||
| 22 | file://412-styx-Fix-build-issues-after-porting-PCI-patches-to-4.1.2-.patch \ | 22 | file://412-styx-Fix-build-issues-after-porting-PCI-patches-to-4.1.2-.patch \ |
| 23 | file://defconfig \ | 23 | file://defconfig \ |
| 24 | file://keys-CVE-2015-1333.patch \ | 24 | file://keys-CVE-2015-1333.patch \ |
| 25 | file://RDS-CVE-2015-6937.patch \ | ||
| 25 | " | 26 | " |
| 26 | 27 | ||
| 27 | S = "${WORKDIR}/git" | 28 | S = "${WORKDIR}/git" |