Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Kubecek <mkubecek@suse.cz>2019-06-11 09:55:01 +0200
committerMichal Kubecek <mkubecek@suse.cz>2019-06-11 09:55:01 +0200
commit4a006b25335fa286c6ee433d8c176aa5cd67b3fe (patch)
tree4f011c9f4c7da3ce0d83d17dee5e6b3758770bc3
parent2e2a3c98fe4ea7ba2bafc00873f8d50286aac6ad (diff)
tcp: fix fack_count accounting on tcp_shift_skb_data()
(CVE-2019-11477 bsc#1137586).
-rw-r--r--patches.fixes/tcp-fix-fack_count-accounting-on-tcp_shift_skb_data.patch50
-rw-r--r--series.conf1
2 files changed, 51 insertions, 0 deletions
diff --git a/patches.fixes/tcp-fix-fack_count-accounting-on-tcp_shift_skb_data.patch b/patches.fixes/tcp-fix-fack_count-accounting-on-tcp_shift_skb_data.patch
new file mode 100644
index 0000000000..2ac827286f
--- /dev/null
+++ b/patches.fixes/tcp-fix-fack_count-accounting-on-tcp_shift_skb_data.patch
@@ -0,0 +1,50 @@
+From: Joao Martins <joao.m.martins@oracle.com>
+Date: Mon, 10 Jun 2019 10:13:23 -0400
+Subject: tcp: fix fack_count accounting on tcp_shift_skb_data()
+Patch-mainline: Not yet, embargo
+References: CVE-2019-11477 bsc#1137586
+
+v4.15 or since commit 737ff314563 ("tcp: use sequence distance to
+detect reordering") had switched from the packet-based FACK tracking and
+switched to sequence-based.
+
+v4.14 and older still have the old logic and hence on
+tcp_skb_shift_data() needs to retain its original logic and have
+@fack_count in sync. In other words, we keep the increment of pcount with
+tcp_skb_pcount(skb) to later used that to update fack_count. To make it
+more explicit we track the new skb that gets incremented to pcount in
+@next_pcount, and we get to avoid the constant invocation of
+tcp_skb_pcount(skb) all together.
+
+Reported-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ net/ipv4/tcp_input.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1419,6 +1419,7 @@ static struct sk_buff *tcp_shift_skb_data(struct sock *sk, struct sk_buff *skb,
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct sk_buff *prev;
+ int mss;
++ int next_pcount;
+ int pcount = 0;
+ int len;
+ int in_sack;
+@@ -1535,9 +1536,11 @@ static struct sk_buff *tcp_shift_skb_data(struct sock *sk, struct sk_buff *skb,
+ goto out;
+
+ len = skb->len;
+- pcount = tcp_skb_pcount(skb);
+- if (tcp_skb_shift(prev, skb, pcount, len))
+- tcp_shifted_skb(sk, skb, state, pcount, len, mss, 0);
++ next_pcount = tcp_skb_pcount(skb);
++ if (tcp_skb_shift(prev, skb, next_pcount, len)) {
++ pcount += next_pcount;
++ tcp_shifted_skb(sk, skb, state, next_pcount, len, mss, 0);
++ }
+
+ out:
+ state->fack_count += pcount;
diff --git a/series.conf b/series.conf
index 584791dcf5..b7745f1829 100644
--- a/series.conf
+++ b/series.conf
@@ -22323,6 +22323,7 @@
patches.fixes/tcp-add-tcp_min_snd_mss-sysctl.patch
patches.fixes/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch
+ patches.fixes/tcp-fix-fack_count-accounting-on-tcp_shift_skb_data.patch
########################################################
# end of sorted patches