Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Kubecek <mkubecek@suse.cz>2018-08-02 16:28:37 +0200
committerMichal Kubecek <mkubecek@suse.cz>2018-08-02 16:29:17 +0200
commitce20133201e35e2e1d3030112b8a257a51b0951f (patch)
tree640b5a54802265590e8e58c3209d2a952cc51413
parent6ee46ea3308017deb1f444dc2e1225c74e42af90 (diff)
tcp: call tcp_drop() from tcp_data_queue_ofo() (CVE-2018-5390
bsc#1102340).
-rw-r--r--patches.fixes/tcp-call-tcp_drop-from-tcp_data_queue_ofo.patch46
-rw-r--r--series.conf1
2 files changed, 47 insertions, 0 deletions
diff --git a/patches.fixes/tcp-call-tcp_drop-from-tcp_data_queue_ofo.patch b/patches.fixes/tcp-call-tcp_drop-from-tcp_data_queue_ofo.patch
new file mode 100644
index 0000000000..f1cec39018
--- /dev/null
+++ b/patches.fixes/tcp-call-tcp_drop-from-tcp_data_queue_ofo.patch
@@ -0,0 +1,46 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 23 Jul 2018 09:28:20 -0700
+Subject: tcp: call tcp_drop() from tcp_data_queue_ofo()
+Patch-mainline: v4.18-rc7
+Git-commit: 8541b21e781a22dce52a74fef0b9bed00404a1cd
+References: CVE-2018-5390 bsc#1102340
+
+In order to be able to give better diagnostics and detect
+malicious traffic, we need to have better sk->sk_drops tracking.
+
+Fixes: 9f5afeae5152 ("tcp: use an RB tree for ooo receive queue")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Michal Kubecek <mkubecek@suse.cz>
+
+---
+ net/ipv4/tcp_input.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 7c39961279c3..ff05616420b7 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4451,7 +4451,7 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb)
+ /* All the bits are present. Drop. */
+ NET_INC_STATS(sock_net(sk),
+ LINUX_MIB_TCPOFOMERGE);
+- __kfree_skb(skb);
++ tcp_drop(sk, skb);
+ skb = NULL;
+ tcp_dsack_set(sk, seq, end_seq);
+ goto add_sack;
+@@ -4470,7 +4470,7 @@ static void tcp_data_queue_ofo(struct sock *sk, struct sk_buff *skb)
+ TCP_SKB_CB(skb1)->end_seq);
+ NET_INC_STATS(sock_net(sk),
+ LINUX_MIB_TCPOFOMERGE);
+- __kfree_skb(skb1);
++ tcp_drop(sk, skb1);
+ goto merge_right;
+ }
+ } else if (tcp_try_coalesce(sk, skb1, skb, &fragstolen)) {
+--
+2.18.0
+
diff --git a/series.conf b/series.conf
index c95a2c3867..0809f151dd 100644
--- a/series.conf
+++ b/series.conf
@@ -15236,6 +15236,7 @@
patches.fixes/tcp-free-batches-of-packets-in-tcp_prune_ofo_queue.patch
patches.fixes/tcp-avoid-collapses-in-tcp_prune_queue-if-possible.patch
patches.fixes/tcp-detect-malicious-patterns-in-tcp_collapse_ofo_qu.patch
+ patches.fixes/tcp-call-tcp_drop-from-tcp_data_queue_ofo.patch
patches.drivers/net-mlx4_core-Save-the-qpn-from-the-input-modifier-i.patch
patches.drivers/qmi_wwan-fix-interface-number-for-DW5821e-production
patches.drivers/driver-core-Partially-revert-driver-core-correct-dev