Linux v4.8.8
This commit is contained in:
parent
84af7754d3
commit
a0974068fe
|
@ -0,0 +1,105 @@
|
|||
From ac6e780070e30e4c35bd395acfe9191e6268bdd3 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Thu, 10 Nov 2016 13:12:35 -0800
|
||||
Subject: [PATCH] tcp: take care of truncations done by sk_filter()
|
||||
|
||||
With syzkaller help, Marco Grassi found a bug in TCP stack,
|
||||
crashing in tcp_collapse()
|
||||
|
||||
Root cause is that sk_filter() can truncate the incoming skb,
|
||||
but TCP stack was not really expecting this to happen.
|
||||
It probably was expecting a simple DROP or ACCEPT behavior.
|
||||
|
||||
We first need to make sure no part of TCP header could be removed.
|
||||
Then we need to adjust TCP_SKB_CB(skb)->end_seq
|
||||
|
||||
Many thanks to syzkaller team and Marco for giving us a reproducer.
|
||||
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Marco Grassi <marco.gra@gmail.com>
|
||||
Reported-by: Vladis Dronov <vdronov@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/net/tcp.h | 1 +
|
||||
net/ipv4/tcp_ipv4.c | 19 ++++++++++++++++++-
|
||||
net/ipv6/tcp_ipv6.c | 6 ++++--
|
||||
3 files changed, 23 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/include/net/tcp.h b/include/net/tcp.h
|
||||
index 304a8e1..123979f 100644
|
||||
--- a/include/net/tcp.h
|
||||
+++ b/include/net/tcp.h
|
||||
@@ -1220,6 +1220,7 @@ static inline void tcp_prequeue_init(struct tcp_sock *tp)
|
||||
}
|
||||
|
||||
bool tcp_prequeue(struct sock *sk, struct sk_buff *skb);
|
||||
+int tcp_filter(struct sock *sk, struct sk_buff *skb);
|
||||
|
||||
#undef STATE_TRACE
|
||||
|
||||
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
|
||||
index 61b7be3..2259114 100644
|
||||
--- a/net/ipv4/tcp_ipv4.c
|
||||
+++ b/net/ipv4/tcp_ipv4.c
|
||||
@@ -1564,6 +1564,21 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb)
|
||||
}
|
||||
EXPORT_SYMBOL(tcp_prequeue);
|
||||
|
||||
+int tcp_filter(struct sock *sk, struct sk_buff *skb)
|
||||
+{
|
||||
+ struct tcphdr *th = (struct tcphdr *)skb->data;
|
||||
+ unsigned int eaten = skb->len;
|
||||
+ int err;
|
||||
+
|
||||
+ err = sk_filter_trim_cap(sk, skb, th->doff * 4);
|
||||
+ if (!err) {
|
||||
+ eaten -= skb->len;
|
||||
+ TCP_SKB_CB(skb)->end_seq -= eaten;
|
||||
+ }
|
||||
+ return err;
|
||||
+}
|
||||
+EXPORT_SYMBOL(tcp_filter);
|
||||
+
|
||||
/*
|
||||
* From tcp_input.c
|
||||
*/
|
||||
@@ -1676,8 +1691,10 @@ int tcp_v4_rcv(struct sk_buff *skb)
|
||||
|
||||
nf_reset(skb);
|
||||
|
||||
- if (sk_filter(sk, skb))
|
||||
+ if (tcp_filter(sk, skb))
|
||||
goto discard_and_relse;
|
||||
+ th = (const struct tcphdr *)skb->data;
|
||||
+ iph = ip_hdr(skb);
|
||||
|
||||
skb->dev = NULL;
|
||||
|
||||
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
|
||||
index 6ca23c2..b9f1fee 100644
|
||||
--- a/net/ipv6/tcp_ipv6.c
|
||||
+++ b/net/ipv6/tcp_ipv6.c
|
||||
@@ -1229,7 +1229,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
|
||||
if (skb->protocol == htons(ETH_P_IP))
|
||||
return tcp_v4_do_rcv(sk, skb);
|
||||
|
||||
- if (sk_filter(sk, skb))
|
||||
+ if (tcp_filter(sk, skb))
|
||||
goto discard;
|
||||
|
||||
/*
|
||||
@@ -1457,8 +1457,10 @@ static int tcp_v6_rcv(struct sk_buff *skb)
|
||||
if (tcp_v6_inbound_md5_hash(sk, skb))
|
||||
goto discard_and_relse;
|
||||
|
||||
- if (sk_filter(sk, skb))
|
||||
+ if (tcp_filter(sk, skb))
|
||||
goto discard_and_relse;
|
||||
+ th = (const struct tcphdr *)skb->data;
|
||||
+ hdr = ipv6_hdr(skb);
|
||||
|
||||
skb->dev = NULL;
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -54,7 +54,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 7
|
||||
%define stable_update 8
|
||||
# Set rpm version accordingly
|
||||
%if 0%{?stable_update}
|
||||
%define stablerev %{stable_update}
|
||||
|
@ -638,6 +638,9 @@ Patch853: 0001-drm-i915-Refresh-that-status-of-MST-capable-connecto.patch
|
|||
#rhbz 1390308
|
||||
Patch854: nouveau-add-maxwell-to-backlight-init.patch
|
||||
|
||||
#CVE-2016-8645 rhbz 1393904 1393908
|
||||
Patch856: 0001-tcp-take-care-of-truncations-done-by-sk_filter.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2160,6 +2163,10 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Nov 15 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.8-100
|
||||
- Linux v4.8.8
|
||||
- Fix crash in tcp_collapse CVE-2016-8645 (rhbz 1393904 1393908)
|
||||
|
||||
* Fri Nov 11 2016 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Nouveau: Add Maxwell to backlight initialization (rhbz 1390308)
|
||||
|
||||
|
|
Loading…
Reference in New Issue