1 |
commit: b8d213a1983935e8741527f7a87ff63f1a44e648 |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Apr 14 19:17:28 2017 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Apr 14 19:17:28 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=b8d213a1 |
7 |
|
8 |
Fix for CVE-2016-10229. Unsafe second checksum calculation in udp.c. See bug #615480. |
9 |
|
10 |
0000_README | 4 + |
11 |
...udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch | 94 ++++++++++++++++++++++ |
12 |
2 files changed, 98 insertions(+) |
13 |
|
14 |
diff --git a/0000_README b/0000_README |
15 |
index 80a401b..c91ff69 100644 |
16 |
--- a/0000_README |
17 |
+++ b/0000_README |
18 |
@@ -211,6 +211,10 @@ Patch: 1520_CVE-2017-6074-dccp-skb-freeing-fix.patch |
19 |
From: https://bugs.gentoo.org/show_bug.cgi?id=610600 |
20 |
Desc: dccp: fix freeing skb too early for IPV6_RECVPKTINFO. CVE-2017-6074 |
21 |
|
22 |
+Patch: 1530_udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch |
23 |
+From: https://bugs.gentoo.org/show_bug.cgi?id=615480 |
24 |
+Desc: Fixes CVE-2016-10229. Unsafe second checksum calculation in udp.c |
25 |
+ |
26 |
Patch: 1800_fix-lru-cache-add-oom-regression.patch |
27 |
From: http://thread.gmane.org/gmane.linux.kernel.stable/184384 |
28 |
Desc: Revert commit 8f182270dfec mm/swap.c: flush lru pvecs on compound page arrival to fix OOM error. |
29 |
|
30 |
diff --git a/1530_udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch b/1530_udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch |
31 |
new file mode 100644 |
32 |
index 0000000..1d12eaa |
33 |
--- /dev/null |
34 |
+++ b/1530_udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch |
35 |
@@ -0,0 +1,94 @@ |
36 |
+From 197c949e7798fbf28cfadc69d9ca0c2abbf93191 Mon Sep 17 00:00:00 2001 |
37 |
+From: Eric Dumazet <edumazet@××××××.com> |
38 |
+Date: Wed, 30 Dec 2015 08:51:12 -0500 |
39 |
+Subject: udp: properly support MSG_PEEK with truncated buffers |
40 |
+ |
41 |
+Backport of this upstream commit into stable kernels : |
42 |
+89c22d8c3b27 ("net: Fix skb csum races when peeking") |
43 |
+exposed a bug in udp stack vs MSG_PEEK support, when user provides |
44 |
+a buffer smaller than skb payload. |
45 |
+ |
46 |
+In this case, |
47 |
+skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), |
48 |
+ msg->msg_iov); |
49 |
+returns -EFAULT. |
50 |
+ |
51 |
+This bug does not happen in upstream kernels since Al Viro did a great |
52 |
+job to replace this into : |
53 |
+skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); |
54 |
+This variant is safe vs short buffers. |
55 |
+ |
56 |
+For the time being, instead reverting Herbert Xu patch and add back |
57 |
+skb->ip_summed invalid changes, simply store the result of |
58 |
+udp_lib_checksum_complete() so that we avoid computing the checksum a |
59 |
+second time, and avoid the problematic |
60 |
+skb_copy_and_csum_datagram_iovec() call. |
61 |
+ |
62 |
+This patch can be applied on recent kernels as it avoids a double |
63 |
+checksumming, then backported to stable kernels as a bug fix. |
64 |
+ |
65 |
+Signed-off-by: Eric Dumazet <edumazet@××××××.com> |
66 |
+Acked-by: Herbert Xu <herbert@××××××××××××××××.au> |
67 |
+Signed-off-by: David S. Miller <davem@×××××××××.net> |
68 |
+--- |
69 |
+ net/ipv4/udp.c | 6 ++++-- |
70 |
+ net/ipv6/udp.c | 6 ++++-- |
71 |
+ 2 files changed, 8 insertions(+), 4 deletions(-) |
72 |
+ |
73 |
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c |
74 |
+index 8841e98..ac14ae4 100644 |
75 |
+--- a/net/ipv4/udp.c |
76 |
++++ b/net/ipv4/udp.c |
77 |
+@@ -1271,6 +1271,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, |
78 |
+ int peeked, off = 0; |
79 |
+ int err; |
80 |
+ int is_udplite = IS_UDPLITE(sk); |
81 |
++ bool checksum_valid = false; |
82 |
+ bool slow; |
83 |
+ |
84 |
+ if (flags & MSG_ERRQUEUE) |
85 |
+@@ -1296,11 +1297,12 @@ try_again: |
86 |
+ */ |
87 |
+ |
88 |
+ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { |
89 |
+- if (udp_lib_checksum_complete(skb)) |
90 |
++ checksum_valid = !udp_lib_checksum_complete(skb); |
91 |
++ if (!checksum_valid) |
92 |
+ goto csum_copy_err; |
93 |
+ } |
94 |
+ |
95 |
+- if (skb_csum_unnecessary(skb)) |
96 |
++ if (checksum_valid || skb_csum_unnecessary(skb)) |
97 |
+ err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), |
98 |
+ msg, copied); |
99 |
+ else { |
100 |
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c |
101 |
+index 9da3287..00775ee 100644 |
102 |
+--- a/net/ipv6/udp.c |
103 |
++++ b/net/ipv6/udp.c |
104 |
+@@ -402,6 +402,7 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, |
105 |
+ int peeked, off = 0; |
106 |
+ int err; |
107 |
+ int is_udplite = IS_UDPLITE(sk); |
108 |
++ bool checksum_valid = false; |
109 |
+ int is_udp4; |
110 |
+ bool slow; |
111 |
+ |
112 |
+@@ -433,11 +434,12 @@ try_again: |
113 |
+ */ |
114 |
+ |
115 |
+ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { |
116 |
+- if (udp_lib_checksum_complete(skb)) |
117 |
++ checksum_valid = !udp_lib_checksum_complete(skb); |
118 |
++ if (!checksum_valid) |
119 |
+ goto csum_copy_err; |
120 |
+ } |
121 |
+ |
122 |
+- if (skb_csum_unnecessary(skb)) |
123 |
++ if (checksum_valid || skb_csum_unnecessary(skb)) |
124 |
+ err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), |
125 |
+ msg, copied); |
126 |
+ else { |
127 |
+-- |
128 |
+cgit v1.1 |
129 |
+ |