Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPetr Tesarik <ptesarik@suse.cz>2019-06-11 11:03:40 +0200
committerPetr Tesarik <ptesarik@suse.cz>2019-06-11 11:03:40 +0200
commitc5d8d78909606a3e1137163ddc75d3dc9a2e7d7f (patch)
tree005f70692179d7ea1696e00d6b92232a6edc5359
parent81b66564297eb4f677ea29e45282bb031d075def (diff)
parent4a006b25335fa286c6ee433d8c176aa5cd67b3fe (diff)
Merge branch 'users/mkubecek/SLE15/1137586' into SLE15_EMBARGO
Pull networking fixes from Michal Kubecek
-rw-r--r--patches.fixes/tcp-add-tcp_min_snd_mss-sysctl.patch2
-rw-r--r--patches.fixes/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch2
-rw-r--r--patches.fixes/tcp-fix-fack_count-accounting-on-tcp_shift_skb_data.patch50
-rw-r--r--patches.fixes/tcp-limit-payload-size-of-sacked-skbs.patch2
-rw-r--r--patches.fixes/tcp-tcp_fragment-should-apply-sane-memory-limits.patch2
-rw-r--r--patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch2
-rw-r--r--patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch2
-rw-r--r--series.conf1
8 files changed, 57 insertions, 6 deletions
diff --git a/patches.fixes/tcp-add-tcp_min_snd_mss-sysctl.patch b/patches.fixes/tcp-add-tcp_min_snd_mss-sysctl.patch
index 78c9365256..1993376b4e 100644
--- a/patches.fixes/tcp-add-tcp_min_snd_mss-sysctl.patch
+++ b/patches.fixes/tcp-add-tcp_min_snd_mss-sysctl.patch
@@ -2,7 +2,7 @@ From: Eric Dumazet <edumazet@google.com>
Date: Thu, 6 Jun 2019 09:38:47 -0700
Subject: tcp: add tcp_min_snd_mss sysctl
Patch-mainline: Not yet, embargo
-References: bsc#1137586
+References: bsc#1137586 CVE-2019-11479
Some TCP peers announce a very small MSS option in their SYN and/or
SYN/ACK messages.
diff --git a/patches.fixes/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch b/patches.fixes/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
index bdc910d130..1a82b48a16 100644
--- a/patches.fixes/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
+++ b/patches.fixes/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
@@ -2,7 +2,7 @@ From: Eric Dumazet <edumazet@google.com>
Date: Sat, 8 Jun 2019 10:38:08 -0700
Subject: tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
Patch-mainline: Not yet, embargo
-References: bsc#1137586
+References: bsc#1137586 CVE-2019-11479
If mtu probing is enabled tcp_mtu_probing() could very well end up
with a too small MSS.
diff --git a/patches.fixes/tcp-fix-fack_count-accounting-on-tcp_shift_skb_data.patch b/patches.fixes/tcp-fix-fack_count-accounting-on-tcp_shift_skb_data.patch
new file mode 100644
index 0000000000..2ac827286f
--- /dev/null
+++ b/patches.fixes/tcp-fix-fack_count-accounting-on-tcp_shift_skb_data.patch
@@ -0,0 +1,50 @@
+From: Joao Martins <joao.m.martins@oracle.com>
+Date: Mon, 10 Jun 2019 10:13:23 -0400
+Subject: tcp: fix fack_count accounting on tcp_shift_skb_data()
+Patch-mainline: Not yet, embargo
+References: CVE-2019-11477 bsc#1137586
+
+v4.15 or since commit 737ff314563 ("tcp: use sequence distance to
+detect reordering") had switched from the packet-based FACK tracking and
+switched to sequence-based.
+
+v4.14 and older still have the old logic and hence on
+tcp_skb_shift_data() needs to retain its original logic and have
+@fack_count in sync. In other words, we keep the increment of pcount with
+tcp_skb_pcount(skb) to later used that to update fack_count. To make it
+more explicit we track the new skb that gets incremented to pcount in
+@next_pcount, and we get to avoid the constant invocation of
+tcp_skb_pcount(skb) all together.
+
+Reported-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: Joao Martins <joao.m.martins@oracle.com>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+---
+ net/ipv4/tcp_input.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1419,6 +1419,7 @@ static struct sk_buff *tcp_shift_skb_data(struct sock *sk, struct sk_buff *skb,
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct sk_buff *prev;
+ int mss;
++ int next_pcount;
+ int pcount = 0;
+ int len;
+ int in_sack;
+@@ -1535,9 +1536,11 @@ static struct sk_buff *tcp_shift_skb_data(struct sock *sk, struct sk_buff *skb,
+ goto out;
+
+ len = skb->len;
+- pcount = tcp_skb_pcount(skb);
+- if (tcp_skb_shift(prev, skb, pcount, len))
+- tcp_shifted_skb(sk, skb, state, pcount, len, mss, 0);
++ next_pcount = tcp_skb_pcount(skb);
++ if (tcp_skb_shift(prev, skb, next_pcount, len)) {
++ pcount += next_pcount;
++ tcp_shifted_skb(sk, skb, state, next_pcount, len, mss, 0);
++ }
+
+ out:
+ state->fack_count += pcount;
diff --git a/patches.fixes/tcp-limit-payload-size-of-sacked-skbs.patch b/patches.fixes/tcp-limit-payload-size-of-sacked-skbs.patch
index 68efc39dc9..51e93d80af 100644
--- a/patches.fixes/tcp-limit-payload-size-of-sacked-skbs.patch
+++ b/patches.fixes/tcp-limit-payload-size-of-sacked-skbs.patch
@@ -2,7 +2,7 @@ From: Eric Dumazet <edumazet@google.com>
Date: Thu, 6 Jun 2019 09:38:45 -0700
Subject: tcp: limit payload size of sacked skbs
Patch-mainline: Not yet, embargo
-References: bsc#1137586
+References: bsc#1137586 CVE-2019-11477
Jonathan Looney reported that TCP can trigger the following crash
in tcp_shifted_skb() :
diff --git a/patches.fixes/tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/patches.fixes/tcp-tcp_fragment-should-apply-sane-memory-limits.patch
index 96135c868b..46fa950840 100644
--- a/patches.fixes/tcp-tcp_fragment-should-apply-sane-memory-limits.patch
+++ b/patches.fixes/tcp-tcp_fragment-should-apply-sane-memory-limits.patch
@@ -2,7 +2,7 @@ From: Eric Dumazet <edumazet@google.com>
Date: Thu, 6 Jun 2019 09:38:46 -0700
Subject: tcp: tcp_fragment() should apply sane memory limits
Patch-mainline: Not yet, embargo
-References: bsc#1137586
+References: bsc#1137586 CVE-2019-11478
Jonathan Looney reported that a malicious peer can force a sender
to fragment its retransmit queue into tiny skbs, inflating memory
diff --git a/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch b/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch
index 62280ccf9a..781b664f79 100644
--- a/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch
+++ b/patches.kabi/kabi-drop-LINUX_MIB_TCPWQUEUETOOBIG-snmp-counter.patch
@@ -2,7 +2,7 @@ From: Michal Kubecek <mkubecek@suse.cz>
Date: Fri, 7 Jun 2019 18:05:46 +0200
Subject: kabi: drop LINUX_MIB_TCPWQUEUETOOBIG snmp counter
Patch-mainline: Never, kabi workaround
-References: bsc#1137586
+References: bsc#1137586 CVE-2019-11478
patches.fixes/tcp-tcp_fragment-should-apply-sane-memory-limits.patch adds
LINUX_MIB_TCPWQUEUETOOBIG snmp attribute which breaks kABI. As it is only
diff --git a/patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch b/patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch
index 447010d282..3d7ec92ab3 100644
--- a/patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch
+++ b/patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch
@@ -2,7 +2,7 @@ From: Michal Kubecek <mkubecek@suse.cz>
Date: Sat, 8 Jun 2019 12:30:13 +0200
Subject: kabi: move sysctl_tcp_min_snd_mss to preserve struct net layout
Patch-mainline: Never, kabi workaround
-References: bsc#1137586
+References: bsc#1137586 CVE-2019-11479
Patch patches.fixes/tcp-add-tcp_min_snd_mss-sysctl.patch adds new member
sysctl_tcp_min_snd_mss into struct netns_ipv4 which is embedded into struct
diff --git a/series.conf b/series.conf
index d4aefa1e13..2bb4cc747e 100644
--- a/series.conf
+++ b/series.conf
@@ -22332,6 +22332,7 @@
patches.fixes/tcp-add-tcp_min_snd_mss-sysctl.patch
patches.fixes/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch
patches.kabi/kabi-move-sysctl_tcp_min_snd_mss-to-preserve-struct-.patch
+ patches.fixes/tcp-fix-fack_count-accounting-on-tcp_shift_skb_data.patch
########################################################
# end of sorted patches