tcp: CVE-2019-11478

tcp: tcp_fragment() should apply sane memory limits tcp: refine memory limit test in tcp_fragment() References: https://nvd.nist.gov/vuln/detail/CVE-2019-11478 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5 Change-Id: Ie16affeda488857ce013ce3be578c05619aee446 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-07-10 11:20:38 +0200
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-07-12 14:30:09 +0200
commit: f095fec9a8e21c24ebdc61341bed46d469bd1384 (patch)
tree: 2b71c04614e75e8252021fda0e046399e3285125 /patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
parent: 726a4b413d426f2209264501fe0f56c88588988f (diff)
download: enea-kernel-cache-f095fec9a8e21c24ebdc61341bed46d469bd1384.tar.gz
1 files changed, 45 insertions, 0 deletions
diff --git a/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
new file mode 100644
index 0000000..57bca2c
--- /dev/null
+++ b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
@@ -0,0 +1,45 @@
+From caa51edc7e9606418611e68de624efbd0042adf5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 21 Jun 2019 06:09:55 -0700
+Subject: [PATCH] tcp: refine memory limit test in tcp_fragment()
+commit b6653b3629e5b88202be3c9abc44713973f5c4b4 upstream.
+tcp_fragment() might be called for skbs in the write queue.
+Memory limits might have been exceeded because tcp_sendmsg() only
+checks limits at full skb (64KB) boundaries.
+Therefore, we need to make sure tcp_fragment() wont punish applications
+that might have setup very low SO_SNDBUF values.
+CVE: CVE-2019-11478
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5]
+Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Christoph Paasch <cpaasch@apple.com>
+Tested-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ net/ipv4/tcp_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index d8c6b833f0ce..0c195b0f4216 100644
+--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
+@@ -1185,7 +1185,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
+        if (nsize < 0)
+                nsize = 0;
+ 
+-       if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
+       if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
+                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
+                return -ENOMEM;
+        }
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-07-10 11:20:38 +0200
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-07-12 14:30:09 +0200
commit	f095fec9a8e21c24ebdc61341bed46d469bd1384 (patch)
tree	2b71c04614e75e8252021fda0e046399e3285125 /patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
parent	726a4b413d426f2209264501fe0f56c88588988f (diff)
download	enea-kernel-cache-f095fec9a8e21c24ebdc61341bed46d469bd1384.tar.gz

diff --git a/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch new file mode 100644 index 0000000..57bca2c --- /dev/null +++ b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch
@@ -0,0 +1,45 @@
	1	From caa51edc7e9606418611e68de624efbd0042adf5 Mon Sep 17 00:00:00 2001
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Fri, 21 Jun 2019 06:09:55 -0700
	4	Subject: [PATCH] tcp: refine memory limit test in tcp_fragment()
	5
	6	commit b6653b3629e5b88202be3c9abc44713973f5c4b4 upstream.
	7
	8	tcp_fragment() might be called for skbs in the write queue.
	9
	10	Memory limits might have been exceeded because tcp_sendmsg() only
	11	checks limits at full skb (64KB) boundaries.
	12
	13	Therefore, we need to make sure tcp_fragment() wont punish applications
	14	that might have setup very low SO_SNDBUF values.
	15
	16	CVE: CVE-2019-11478
	17	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5]
	18
	19	Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
	20	Signed-off-by: Eric Dumazet <edumazet@google.com>
	21	Reported-by: Christoph Paasch <cpaasch@apple.com>
	22	Tested-by: Christoph Paasch <cpaasch@apple.com>
	23	Signed-off-by: David S. Miller <davem@davemloft.net>
	24	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	25	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	26	---
	27	net/ipv4/tcp_output.c \| 2 +-
	28	1 file changed, 1 insertion(+), 1 deletion(-)
	29
	30	diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
	31	index d8c6b833f0ce..0c195b0f4216 100644
	32	--- a/net/ipv4/tcp_output.c
	33	+++ b/net/ipv4/tcp_output.c
	34	@@ -1185,7 +1185,7 @@ int tcp_fragment(struct sock sk, struct sk_buff skb, u32 len,
	35	if (nsize < 0)
	36	nsize = 0;
	37
	38	- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
	39	+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) {
	40	NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
	41	return -ENOMEM;
	42	}
	43	--
	44	2.20.1
	45