Home Home > GIT Browse > SLE12-SP3-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2017-08-10 22:28:47 +0200
committerTakashi Iwai <tiwai@suse.de>2017-08-10 22:28:47 +0200
commit2dd03e85e3ece819fd1edc7cea47b915950aa65e (patch)
tree64d50af0f7bad114e7dc06993f61229490305c9e
parentb7288235289fc7315d08b25cea94d5db3e642670 (diff)
parentb18c43a4c40e46ff83fc9926c8e5e2005741dc85 (diff)
Merge branch 'SLE12-SP3' into openSUSE-42.3rpm-4.4.79-19
-rw-r--r--patches.fixes/net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch63
-rw-r--r--patches.fixes/udp-consistently-apply-ufo-or-fragmentation.patch79
-rw-r--r--series.conf2
3 files changed, 144 insertions, 0 deletions
diff --git a/patches.fixes/net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch b/patches.fixes/net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch
new file mode 100644
index 0000000000..6a00a58b29
--- /dev/null
+++ b/patches.fixes/net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch
@@ -0,0 +1,63 @@
+From: Willem de Bruijn <willemb@google.com>
+Date: Sat, 5 Aug 2017 23:57:59 +0200
+Subject: net-packet: fix race in packet_set_ring on PACKET_RESERVE
+Patch-mainline: Not yet, embargo
+References: CVE-2017-1000111 bsc#1052365
+
+PACKET_RESERVE reserves headroom in memory mapped packet ring frames.
+The value po->tp_reserve must is verified to be safe in packet_set_ring
+
+ if (unlikely(req->tp_frame_size < po->tp_hdrlen + po->tp_reserve))
+
+and the setsockopt fails once a ring is set.
+
+ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+ return -EBUSY;
+
+This operation does not take the socket lock. This leads to a race
+similar to the one with PACKET_VERSION fixed in commit 84ac7260236a
+("packet: fix race condition in packet_set_ring").
+
+Fix this issue in the same manner: take the socket lock, which as of
+that patch is held for the duration of packet_set_ring.
+
+This bug was discovered with syzkaller.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ net/packet/af_packet.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index f8d6a0ca9c03..d50867eb87cd 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3622,14 +3622,19 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+ if (val > INT_MAX)
+ return -EINVAL;
+- po->tp_reserve = val;
+- return 0;
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
++ ret = -EBUSY;
++ else {
++ po->tp_reserve = val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_LOSS:
+ {
+--
+2.13.4
+
diff --git a/patches.fixes/udp-consistently-apply-ufo-or-fragmentation.patch b/patches.fixes/udp-consistently-apply-ufo-or-fragmentation.patch
new file mode 100644
index 0000000000..7f95da3cc9
--- /dev/null
+++ b/patches.fixes/udp-consistently-apply-ufo-or-fragmentation.patch
@@ -0,0 +1,79 @@
+From: Willem de Bruijn <willemb@google.com>
+Date: Fri, 14 Jul 2017 10:19:00 +0200
+Subject: udp: consistently apply ufo or fragmentation
+Patch-mainline: Not yet, embargo
+References: CVE-2017-1000112 bsc#1052311
+
+When iteratively building a UDP datagram with MSG_MORE and that
+datagram exceeds MTU, consistently choose UFO or fragmentation.
+
+Once skb_is_gso, always apply ufo. Conversely, once a datagram is
+split across multiple skbs, do not consider ufo.
+
+Sendpage already maintains the first invariant, only add the second.
+IPv6 does not have a sendpage implementation to modify.
+
+Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ net/ipv4/ip_output.c | 12 +++++++-----
+ net/ipv6/ip6_output.c | 11 ++++++-----
+ 2 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 423558b546ea..5fe79867d8e2 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -922,11 +922,12 @@ static int __ip_append_data(struct sock *sk,
+ csummode = CHECKSUM_PARTIAL;
+
+ cork->length += length;
+- if ((((length + (skb ? skb->len : fragheaderlen)) > mtu) ||
+- (skb && skb_is_gso(skb))) &&
+- (sk->sk_protocol == IPPROTO_UDP) &&
+- (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
+- (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
++ if ((skb && skb_is_gso(skb)) ||
++ (((length + (skb ? skb->len : fragheaderlen)) > mtu) &&
++ (skb_queue_len(queue) <= 1) &&
++ (sk->sk_protocol == IPPROTO_UDP) &&
++ (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
++ (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) {
+ err = ip_ufo_append_data(sk, queue, getfrag, from, length,
+ hh_len, fragheaderlen, transhdrlen,
+ maxfraglen, flags);
+@@ -1243,6 +1244,7 @@ ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
+
+ if ((size + skb->len > mtu) &&
+ (sk->sk_protocol == IPPROTO_UDP) &&
++ (skb_queue_len(&sk->sk_write_queue) == 1) &&
+ (rt->dst.dev->features & NETIF_F_UFO)) {
+ if (skb->ip_summed != CHECKSUM_PARTIAL)
+ return -EOPNOTSUPP;
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index c9f62e2d4c08..5e84ae7ff621 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1361,11 +1361,12 @@ emsgsize:
+ */
+
+ cork->length += length;
+- if ((((length + (skb ? skb->len : headersize)) > mtu) ||
+- (skb && skb_is_gso(skb))) &&
+- (sk->sk_protocol == IPPROTO_UDP) &&
+- (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
+- (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
++ if ((skb && skb_is_gso(skb)) ||
++ (((length + (skb ? skb->len : headersize)) > mtu) &&
++ (skb_queue_len(queue) <= 1) &&
++ (sk->sk_protocol == IPPROTO_UDP) &&
++ (rt->dst.dev->features & NETIF_F_UFO) && !dst_xfrm(&rt->dst) &&
++ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) {
+ err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
+ hh_len, fragheaderlen, exthdrlen,
+ transhdrlen, mtu, flags, fl6);
+--
+2.13.4
+
diff --git a/series.conf b/series.conf
index 16a25c69db..27b2e76a6e 100644
--- a/series.conf
+++ b/series.conf
@@ -3501,6 +3501,8 @@
patches.fixes/af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch
patches.fixes/af_key-add-lock-to-key-dump.patch
patches.fixes/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch
+ patches.fixes/udp-consistently-apply-ufo-or-fragmentation.patch
+ patches.fixes/net-packet-fix-race-in-packet_set_ring-on-PACKET_RES.patch
########################################################
# Netfilter