[meta-freescale] [meta-fsl-ppc][PATCH 4/5] sctp: CVE-2014-4667

Tue Jan 27 05:04:10 PST 2015

sk_ack_backlog wrap-around problem

Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4667

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 .../linux/files/sctp-CVE-2014-4667.patch           | 51 ++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_3.12.bb           |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 recipes-kernel/linux/files/sctp-CVE-2014-4667.patch

diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
new file mode 100644
index 0000000..e7b1228
--- /dev/null
+++ b/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
@@ -0,0 +1,51 @@
+From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001
+From: Xufeng Zhang <xufeng.zhang at windriver.com>
+Date: Thu, 12 Jun 2014 10:53:36 +0800
+Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem
+
+[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ]
+
+Consider the scenario:
+For a TCP-style socket, while processing the COOKIE_ECHO chunk in
+sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
+a new association would be created in sctp_unpack_cookie(), but afterwards,
+some processing maybe failed, and sctp_association_free() will be called to
+free the previously allocated association, in sctp_association_free(),
+sk_ack_backlog value is decremented for this socket, since the initial
+value for sk_ack_backlog is 0, after the decrement, it will be 65535,
+a wrap-around problem happens, and if we want to establish new associations
+afterward in the same socket, ABORT would be triggered since sctp deem the
+accept queue as full.
+Fix this issue by only decrementing sk_ack_backlog for associations in
+the endpoint's list.
+
+Fixes CVE-2014-4667
+Upstream-Status: Backport
+
+Fix-suggested-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: Xufeng Zhang <xufeng.zhang at windriver.com>
+Acked-by: Daniel Borkmann <dborkman at redhat.com>
+Acked-by: Vlad Yasevich <vyasevich at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ net/sctp/associola.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c
+index cef5099..f6d6dcd 100644
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc)
+ 	/* Only real associations count against the endpoint, so
+ 	 * don't bother for if this is a temporary association.
+ 	 */
+-	if (!asoc->temp) {
++	if (!list_empty(&asoc->asocs)) {
+ 		list_del(&asoc->asocs);
+ 
+ 		/* Decrement the backlog value for a TCP-style listening
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 90ccedd..2cd8ce9 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -25,6 +25,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://auditsc-CVE-2014-3917.patch \
     file://0001-ALSA-CVE-2014-4652.patch \
     file://0002-ALSA-CVE-2014-4653.patch \
+    file://sctp-CVE-2014-4667.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
 
-- 
1.9.1

