| 1 |
commit: b8d213a1983935e8741527f7a87ff63f1a44e648 |
| 2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Fri Apr 14 19:17:28 2017 +0000 |
| 4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Fri Apr 14 19:17:28 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=b8d213a1 |
| 7 |
|
| 8 |
Fix for CVE-2016-10229. Unsafe second checksum calculation in udp.c. See bug #615480. |
| 9 |
|
| 10 |
0000_README | 4 + |
| 11 |
...udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch | 94 ++++++++++++++++++++++ |
| 12 |
2 files changed, 98 insertions(+) |
| 13 |
|
| 14 |
diff --git a/0000_README b/0000_README |
| 15 |
index 80a401b..c91ff69 100644 |
| 16 |
--- a/0000_README |
| 17 |
+++ b/0000_README |
| 18 |
@@ -211,6 +211,10 @@ Patch: 1520_CVE-2017-6074-dccp-skb-freeing-fix.patch |
| 19 |
From: https://bugs.gentoo.org/show_bug.cgi?id=610600 |
| 20 |
Desc: dccp: fix freeing skb too early for IPV6_RECVPKTINFO. CVE-2017-6074 |
| 21 |
|
| 22 |
+Patch: 1530_udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch |
| 23 |
+From: https://bugs.gentoo.org/show_bug.cgi?id=615480 |
| 24 |
+Desc: Fixes CVE-2016-10229. Unsafe second checksum calculation in udp.c |
| 25 |
+ |
| 26 |
Patch: 1800_fix-lru-cache-add-oom-regression.patch |
| 27 |
From: http://thread.gmane.org/gmane.linux.kernel.stable/184384 |
| 28 |
Desc: Revert commit 8f182270dfec mm/swap.c: flush lru pvecs on compound page arrival to fix OOM error. |
| 29 |
|
| 30 |
diff --git a/1530_udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch b/1530_udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch |
| 31 |
new file mode 100644 |
| 32 |
index 0000000..1d12eaa |
| 33 |
--- /dev/null |
| 34 |
+++ b/1530_udp-prop-suprt-MSG-PEEK-wth-trunc-buffers.patch |
| 35 |
@@ -0,0 +1,94 @@ |
| 36 |
+From 197c949e7798fbf28cfadc69d9ca0c2abbf93191 Mon Sep 17 00:00:00 2001 |
| 37 |
+From: Eric Dumazet <edumazet@××××××.com> |
| 38 |
+Date: Wed, 30 Dec 2015 08:51:12 -0500 |
| 39 |
+Subject: udp: properly support MSG_PEEK with truncated buffers |
| 40 |
+ |
| 41 |
+Backport of this upstream commit into stable kernels : |
| 42 |
+89c22d8c3b27 ("net: Fix skb csum races when peeking") |
| 43 |
+exposed a bug in udp stack vs MSG_PEEK support, when user provides |
| 44 |
+a buffer smaller than skb payload. |
| 45 |
+ |
| 46 |
+In this case, |
| 47 |
+skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), |
| 48 |
+ msg->msg_iov); |
| 49 |
+returns -EFAULT. |
| 50 |
+ |
| 51 |
+This bug does not happen in upstream kernels since Al Viro did a great |
| 52 |
+job to replace this into : |
| 53 |
+skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); |
| 54 |
+This variant is safe vs short buffers. |
| 55 |
+ |
| 56 |
+For the time being, instead reverting Herbert Xu patch and add back |
| 57 |
+skb->ip_summed invalid changes, simply store the result of |
| 58 |
+udp_lib_checksum_complete() so that we avoid computing the checksum a |
| 59 |
+second time, and avoid the problematic |
| 60 |
+skb_copy_and_csum_datagram_iovec() call. |
| 61 |
+ |
| 62 |
+This patch can be applied on recent kernels as it avoids a double |
| 63 |
+checksumming, then backported to stable kernels as a bug fix. |
| 64 |
+ |
| 65 |
+Signed-off-by: Eric Dumazet <edumazet@××××××.com> |
| 66 |
+Acked-by: Herbert Xu <herbert@××××××××××××××××.au> |
| 67 |
+Signed-off-by: David S. Miller <davem@×××××××××.net> |
| 68 |
+--- |
| 69 |
+ net/ipv4/udp.c | 6 ++++-- |
| 70 |
+ net/ipv6/udp.c | 6 ++++-- |
| 71 |
+ 2 files changed, 8 insertions(+), 4 deletions(-) |
| 72 |
+ |
| 73 |
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c |
| 74 |
+index 8841e98..ac14ae4 100644 |
| 75 |
+--- a/net/ipv4/udp.c |
| 76 |
++++ b/net/ipv4/udp.c |
| 77 |
+@@ -1271,6 +1271,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, |
| 78 |
+ int peeked, off = 0; |
| 79 |
+ int err; |
| 80 |
+ int is_udplite = IS_UDPLITE(sk); |
| 81 |
++ bool checksum_valid = false; |
| 82 |
+ bool slow; |
| 83 |
+ |
| 84 |
+ if (flags & MSG_ERRQUEUE) |
| 85 |
+@@ -1296,11 +1297,12 @@ try_again: |
| 86 |
+ */ |
| 87 |
+ |
| 88 |
+ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { |
| 89 |
+- if (udp_lib_checksum_complete(skb)) |
| 90 |
++ checksum_valid = !udp_lib_checksum_complete(skb); |
| 91 |
++ if (!checksum_valid) |
| 92 |
+ goto csum_copy_err; |
| 93 |
+ } |
| 94 |
+ |
| 95 |
+- if (skb_csum_unnecessary(skb)) |
| 96 |
++ if (checksum_valid || skb_csum_unnecessary(skb)) |
| 97 |
+ err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), |
| 98 |
+ msg, copied); |
| 99 |
+ else { |
| 100 |
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c |
| 101 |
+index 9da3287..00775ee 100644 |
| 102 |
+--- a/net/ipv6/udp.c |
| 103 |
++++ b/net/ipv6/udp.c |
| 104 |
+@@ -402,6 +402,7 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, |
| 105 |
+ int peeked, off = 0; |
| 106 |
+ int err; |
| 107 |
+ int is_udplite = IS_UDPLITE(sk); |
| 108 |
++ bool checksum_valid = false; |
| 109 |
+ int is_udp4; |
| 110 |
+ bool slow; |
| 111 |
+ |
| 112 |
+@@ -433,11 +434,12 @@ try_again: |
| 113 |
+ */ |
| 114 |
+ |
| 115 |
+ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { |
| 116 |
+- if (udp_lib_checksum_complete(skb)) |
| 117 |
++ checksum_valid = !udp_lib_checksum_complete(skb); |
| 118 |
++ if (!checksum_valid) |
| 119 |
+ goto csum_copy_err; |
| 120 |
+ } |
| 121 |
+ |
| 122 |
+- if (skb_csum_unnecessary(skb)) |
| 123 |
++ if (checksum_valid || skb_csum_unnecessary(skb)) |
| 124 |
+ err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), |
| 125 |
+ msg, copied); |
| 126 |
+ else { |
| 127 |
+-- |
| 128 |
+cgit v1.1 |
| 129 |
+ |
Archives