Linux v4.8.8

2016-11-15 11:37:41 -06:00 · 2016-11-15 11:37:41 -06:00 · a0974068fe
parent 84af7754d3
commit a0974068fe
3 changed files with 114 additions and 2 deletions
--- a/0001-tcp-take-care-of-truncations-done-by-sk_filter.patch
+++ b/0001-tcp-take-care-of-truncations-done-by-sk_filter.patch
@ -0,0 +1,105 @@
+From ac6e780070e30e4c35bd395acfe9191e6268bdd3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 10 Nov 2016 13:12:35 -0800
+Subject: [PATCH] tcp: take care of truncations done by sk_filter()
+
+With syzkaller help, Marco Grassi found a bug in TCP stack,
+crashing in tcp_collapse()
+
+Root cause is that sk_filter() can truncate the incoming skb,
+but TCP stack was not really expecting this to happen.
+It probably was expecting a simple DROP or ACCEPT behavior.
+
+We first need to make sure no part of TCP header could be removed.
+Then we need to adjust TCP_SKB_CB(skb)->end_seq
+
+Many thanks to syzkaller team and Marco for giving us a reproducer.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Marco Grassi <marco.gra@gmail.com>
+Reported-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/tcp.h   |  1 +
+ net/ipv4/tcp_ipv4.c | 19 ++++++++++++++++++-
+ net/ipv6/tcp_ipv6.c |  6 ++++--
+ 3 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 304a8e1..123979f 100644
+--- a/include/net/tcp.h
+++ b/include/net/tcp.h
+@@ -1220,6 +1220,7 @@ static inline void tcp_prequeue_init(struct tcp_sock *tp)
+ }
+
+ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb);
+int tcp_filter(struct sock *sk, struct sk_buff *skb);
+
+ #undef STATE_TRACE
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 61b7be3..2259114 100644
+--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
+@@ -1564,6 +1564,21 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb)
+ }
+ EXPORT_SYMBOL(tcp_prequeue);
+
+int tcp_filter(struct sock *sk, struct sk_buff *skb)
+{
+	struct tcphdr *th = (struct tcphdr *)skb->data;
+	unsigned int eaten = skb->len;
+	int err;
+
+	err = sk_filter_trim_cap(sk, skb, th->doff * 4);
+	if (!err) {
+		eaten -= skb->len;
+		TCP_SKB_CB(skb)->end_seq -= eaten;
+	}
+	return err;
+}
+EXPORT_SYMBOL(tcp_filter);
+
+ /*
+  *	From tcp_input.c
+  */
+@@ -1676,8 +1691,10 @@ int tcp_v4_rcv(struct sk_buff *skb)
+
+ 	nf_reset(skb);
+
+-	if (sk_filter(sk, skb))
+	if (tcp_filter(sk, skb))
+ 		goto discard_and_relse;
+	th = (const struct tcphdr *)skb->data;
+	iph = ip_hdr(skb);
+
+ 	skb->dev = NULL;
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 6ca23c2..b9f1fee 100644
+--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
+@@ -1229,7 +1229,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
+ 	if (skb->protocol == htons(ETH_P_IP))
+ 		return tcp_v4_do_rcv(sk, skb);
+
+-	if (sk_filter(sk, skb))
+	if (tcp_filter(sk, skb))
+ 		goto discard;
+
+ 	/*
+@@ -1457,8 +1457,10 @@ static int tcp_v6_rcv(struct sk_buff *skb)
+ 	if (tcp_v6_inbound_md5_hash(sk, skb))
+ 		goto discard_and_relse;
+
+-	if (sk_filter(sk, skb))
+	if (tcp_filter(sk, skb))
+ 		goto discard_and_relse;
+	th = (const struct tcphdr *)skb->data;
+	hdr = ipv6_hdr(skb);
+
+ 	skb->dev = NULL;
+
+-- 
+2.7.4
+
--- a/kernel.spec
+++ b/kernel.spec
@ -54,7 +54,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}

 # Do we have a -stable update to apply?
-%define stable_update 7
+%define stable_update 8
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@ -638,6 +638,9 @@ Patch853: 0001-drm-i915-Refresh-that-status-of-MST-capable-connecto.patch
 #rhbz 1390308
 Patch854: nouveau-add-maxwell-to-backlight-init.patch

+#CVE-2016-8645 rhbz 1393904 1393908
+Patch856: 0001-tcp-take-care-of-truncations-done-by-sk_filter.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -2160,6 +2163,10 @@ fi
 #
 # 
 %changelog
+* Tue Nov 15 2016 Justin M. Forbes <jforbes@fedoraproject.org> - 4.8.8-100
+- Linux v4.8.8
+- Fix crash in tcp_collapse CVE-2016-8645 (rhbz 1393904 1393908)
+
 * Fri Nov 11 2016 Justin M. Forbes <jforbes@fedoraproject.org>
 - Nouveau: Add Maxwell to backlight initialization (rhbz 1390308)

--- a/2
+++ b/2
@ -1,3 +1,3 @@
 c1af0afbd3df35c1ccdc7a5118cd2d07  linux-4.8.tar.xz
 0dad03f586e835d538d3e0d2cbdb9a28  perf-man-4.8.tar.gz
-ad7cdae5329497d07582b31858516686  patch-4.8.7.xz
+38e85040e09193251766975d6fd30d08  patch-4.8.8.xz