Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Bohac <jbohac@suse.cz>2012-06-12 12:00:43 +0200
committerJiri Bohac <jbohac@suse.cz>2012-06-12 12:00:43 +0200
commit7f0d0d6da750483d125014199d5c29a6586bffa2 (patch)
tree97d898269b3131010fa8692c80bd491b1bb2c643
parentbd67ec2647eb7a08b97c7d4dbe59ed1b838816e5 (diff)
- patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch:
net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() (bnc#765320, CVE-2012-2136). - patches.fixes/tcp-drop-syn-fin-messages.patch: tcp: drop SYN+FIN messages (bnc#765102, CVE-2012-2663).
-rw-r--r--kernel-source.changes9
-rw-r--r--patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch45
-rw-r--r--patches.fixes/tcp-drop-syn-fin-messages.patch29
-rw-r--r--series.conf2
4 files changed, 85 insertions, 0 deletions
diff --git a/kernel-source.changes b/kernel-source.changes
index 5031895f66..46895614a2 100644
--- a/kernel-source.changes
+++ b/kernel-source.changes
@@ -1,4 +1,13 @@
-------------------------------------------------------------------
+Tue Jun 12 12:00:39 CEST 2012 - jbohac@suse.cz
+
+- patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch:
+ net: sock: validate data_len before allocating skb in
+ sock_alloc_send_pskb() (bnc#765320, CVE-2012-2136).
+- patches.fixes/tcp-drop-syn-fin-messages.patch: tcp: drop
+ SYN+FIN messages (bnc#765102, CVE-2012-2663).
+
+-------------------------------------------------------------------
Tue Jun 12 11:04:00 CEST 2012 - mgorman@suse.de
- patches.fixes/mm-hugetlb-fix-resv_map-leak-in-error-path.patch:
diff --git a/patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch b/patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch
new file mode 100644
index 0000000000..e3f9b4eb8e
--- /dev/null
+++ b/patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch
@@ -0,0 +1,45 @@
+From: Jason Wang <jasowang@redhat.com>
+Subject: net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()
+Git-commit: cc9b17ad29ecaa20bfe426a8d4dbfb94b13ff1cc
+Patch-mainline: 3.5
+References: bnc#765320, CVE-2012-2136
+Acked-by: Jiri Bohac <jbohac@suse.cz>
+
+We need to validate the number of pages consumed by data_len, otherwise frags
+array could be overflowed by userspace. So this patch validate data_len and
+return -EMSGSIZE when data_len may occupies more frags than MAX_SKB_FRAGS.
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 653f8c0..9e5b71f 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1592,6 +1592,11 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ gfp_t gfp_mask;
+ long timeo;
+ int err;
++ int npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
++
++ err = -EMSGSIZE;
++ if (npages > MAX_SKB_FRAGS)
++ goto failure;
+
+ gfp_mask = sk->sk_allocation;
+ if (gfp_mask & __GFP_WAIT)
+@@ -1610,14 +1615,12 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ if (atomic_read(&sk->sk_wmem_alloc) < sk->sk_sndbuf) {
+ skb = alloc_skb(header_len, gfp_mask);
+ if (skb) {
+- int npages;
+ int i;
+
+ /* No pages, we're done... */
+ if (!data_len)
+ break;
+
+- npages = (data_len + (PAGE_SIZE - 1)) >> PAGE_SHIFT;
+ skb->truesize += data_len;
+ skb_shinfo(skb)->nr_frags = npages;
+ for (i = 0; i < npages; i++) {
diff --git a/patches.fixes/tcp-drop-syn-fin-messages.patch b/patches.fixes/tcp-drop-syn-fin-messages.patch
new file mode 100644
index 0000000000..9f22ad6e38
--- /dev/null
+++ b/patches.fixes/tcp-drop-syn-fin-messages.patch
@@ -0,0 +1,29 @@
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Subject: tcp: drop SYN+FIN messages
+References: bnc#765102, CVE-2012-2663
+Patch-mainline: 3.3
+Git-commit: fdf5af0daf8019cec2396cdef8fb042d80fe71fa
+Acked-by: Jiri Bohac <jbohac@suse.cz>
+
+Denys Fedoryshchenko reported that SYN+FIN attacks were bringing his
+linux machines to their limits.
+
+Dont call conn_request() if the TCP flags includes SYN flag
+
+Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 78dd38c..0cbb440 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5811,6 +5811,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
+ goto discard;
+
+ if (th->syn) {
++ if (th->fin)
++ goto discard;
+ if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
+ return 1;
+
diff --git a/series.conf b/series.conf
index 9a6e89e45d..61f170f8a9 100644
--- a/series.conf
+++ b/series.conf
@@ -2367,6 +2367,8 @@
patches.fixes/batman-adv-bat_socket_read-missing-checks.patch
patches.fixes/batman-adv-Only-write-requested-number-of-byte-to-us.patch
patches.fixes/mac80211-be-more-careful-in-suspend-resume
+ patches.fixes/net-sock-validate-data_len-before-allocating-skb.patch
+ patches.fixes/tcp-drop-syn-fin-messages.patch
########################################################
# ISDN