[meta-freescale] [meta-fsl-ppc][PATCH][dizzy] kernel-udp: CVE-2015-5364, CVE-2015-5366

Sona Sarmadi sona.sarmadi at enea.com
Fri Sep 25 05:37:00 PDT 2015 

This fixes incorrect processing of checksums in UDP implementation

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5364
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5366
http://www.openwall.com/lists/oss-security/2015/07/10/3

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
commit/?id=a97b54dd69cb05df4c57f5d5b40c761f7835ce4e

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 .../files/udp-CVE-2015-5364_CVE-2015-5366.patch    | 72 ++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_3.12.bb           |  1 +
 2 files changed, 73 insertions(+)
 create mode 100644 recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch

diff --git a/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch b/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch
new file mode 100644
index 0000000..43f2dbf
--- /dev/null
+++ b/recipes-kernel/linux/files/udp-CVE-2015-5364_CVE-2015-5366.patch
@@ -0,0 +1,72 @@
+From a97b54dd69cb05df4c57f5d5b40c761f7835ce4e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet at google.com>
+Date: Sat, 30 May 2015 09:16:53 -0700
+Subject: [PATCH] udp: fix behavior of wrong checksums
+
+[ Upstream commit beb39db59d14990e401e235faf66a6b9b31240b0 ]
+
+We have two problems in UDP stack related to bogus checksums :
+
+1) We return -EAGAIN to application even if receive queue is not empty.
+   This breaks applications using edge trigger epoll()
+
+2) Under UDP flood, we can loop forever without yielding to other
+   processes, potentially hanging the host, especially on non SMP.
+
+This patch is an attempt to make things better.
+
+We might in the future add extra support for rt applications
+wanting to better control time spent doing a recv() in a hostile
+environment. For example we could validate checksums before queuing
+packets in socket receive queue.
+
+Fixes CVE-2015-5364 and CVE-2015-5366.
+Upstream-Status: backport
+
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Cc: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ net/ipv4/udp.c | 6 ++----
+ net/ipv6/udp.c | 6 ++----
+ 2 files changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 6ca9907..268ed25 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1295,10 +1295,8 @@ csum_copy_err:
+ 	}
+ 	unlock_sock_fast(sk, slow);
+ 
+-	if (noblock)
+-		return -EAGAIN;
+-
+-	/* starting over for a new packet */
++	/* starting over for a new packet, but check if we need to yield */
++	cond_resched();
+ 	msg->msg_flags &= ~MSG_TRUNC;
+ 	goto try_again;
+ }
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 3d2758d..e09ca28 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -495,10 +495,8 @@ csum_copy_err:
+ 	}
+ 	unlock_sock_fast(sk, slow);
+ 
+-	if (noblock)
+-		return -EAGAIN;
+-
+-	/* starting over for a new packet */
++	/* starting over for a new packet, but check if we need to yield */
++	cond_resched();
+ 	msg->msg_flags &= ~MSG_TRUNC;
+ 	goto try_again;
+ }
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 0a2883f..33bcd37 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -32,6 +32,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://futex-CVE-2014-3153.patch \
     file://target-CVE-2014-4027.patch \
     file://fs-isofs-CVE-2014-9420.patch \
+    file://udp-CVE-2015-5364_CVE-2015-5366.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
 
-- 
1.9.1

More information about the meta-freescale mailing list