tcp: CVE-2019-11478

tcp: tcp_fragment() should apply sane memory limits tcp: refine memory limit test in tcp_fragment() References: https://nvd.nist.gov/vuln/detail/CVE-2019-11478 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5 Change-Id: I9630c20a11d9a92095d475f2a6d27e627fd7bbff Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-07-10 15:10:41 +0200
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-07-12 11:18:48 +0200
commit: 427e88c46aab55b5291fecf4fbb317c7d60ca8c9 (patch)
tree: 3e75b34e0c710feba5e192ec45009518a5570adf /patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
parent: fa0a35e4363e7c58c0f0fd3566fa72b9a561f16d (diff)
download: enea-kernel-cache-427e88c46aab55b5291fecf4fbb317c7d60ca8c9.tar.gz
1 files changed, 86 insertions, 0 deletions
diff --git a/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
new file mode 100644
index 0000000..7d0c4f4
--- /dev/null
+++ b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
@@ -0,0 +1,86 @@
+From e358f4af19db46ca25cc9a8a78412b09ba98859d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 17:40:56 -0700
+Subject: [PATCH] tcp: tcp_fragment() should apply sane memory limits
+commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream.
+Jonathan Looney reported that a malicious peer can force a sender
+to fragment its retransmit queue into tiny skbs, inflating memory
+usage and/or overflow 32bit counters.
+TCP allows an application to queue up to sk_sndbuf bytes,
+so we need to give some allowance for non malicious splitting
+of retransmit queue.
+A new SNMP counter is added to monitor how many times TCP
+did not allow to split an skb if the allowance was exceeded.
+Note that this counter might increase in the case applications
+use SO_SNDBUF socket option to lower sk_sndbuf.
+CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
+        socket is already using more than half the allowed space
+CVE: CVE-2019-11478
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d]
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Jonathan Looney <jtl@netflix.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
+Cc: Bruce Curtis <brucec@netflix.com>
+Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ include/uapi/linux/snmp.h | 1 +
+ net/ipv4/proc.c           | 1 +
+ net/ipv4/tcp_output.c     | 5 +++++
+ 3 files changed, 7 insertions(+)
+diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
+index 3442a26d36d9..56e3460d1f9f 100644
+--- a/include/uapi/linux/snmp.h
+++ b/include/uapi/linux/snmp.h
+@@ -282,6 +282,7 @@ enum
+        LINUX_MIB_TCPKEEPALIVE,                 /* TCPKeepAlive */
+        LINUX_MIB_TCPMTUPFAIL,                  /* TCPMTUPFail */
+        LINUX_MIB_TCPMTUPSUCCESS,               /* TCPMTUPSuccess */
+       LINUX_MIB_TCPWQUEUETOOBIG,              /* TCPWqueueTooBig */
+        __LINUX_MIB_MAX
+ };
+ 
+diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
+index ec48d8eafc7e..8b221398534b 100644
+--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
+@@ -306,6 +306,7 @@ static const struct snmp_mib snmp4_net_list[] = {
+        SNMP_MIB_ITEM("TCPKeepAlive", LINUX_MIB_TCPKEEPALIVE),
+        SNMP_MIB_ITEM("TCPMTUPFail", LINUX_MIB_TCPMTUPFAIL),
+        SNMP_MIB_ITEM("TCPMTUPSuccess", LINUX_MIB_TCPMTUPSUCCESS),
+       SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG),
+        SNMP_MIB_SENTINEL
+ };
+ 
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 2f166662682e..123b2d8fde46 100644
+--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
+@@ -1185,6 +1185,11 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
+        if (nsize < 0)
+                nsize = 0;
+ 
+       if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
+               NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
+               return -ENOMEM;
+       }
+
+        if (skb_unclone(skb, gfp))
+                return -ENOMEM;
+ 
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-07-10 15:10:41 +0200
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-07-12 11:18:48 +0200
commit	427e88c46aab55b5291fecf4fbb317c7d60ca8c9 (patch)
tree	3e75b34e0c710feba5e192ec45009518a5570adf /patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
parent	fa0a35e4363e7c58c0f0fd3566fa72b9a561f16d (diff)
download	enea-kernel-cache-427e88c46aab55b5291fecf4fbb317c7d60ca8c9.tar.gz

diff --git a/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch new file mode 100644 index 0000000..7d0c4f4 --- /dev/null +++ b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
@@ -0,0 +1,86 @@
	1	From e358f4af19db46ca25cc9a8a78412b09ba98859d Mon Sep 17 00:00:00 2001
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Sat, 15 Jun 2019 17:40:56 -0700
	4	Subject: [PATCH] tcp: tcp_fragment() should apply sane memory limits
	5
	6	commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream.
	7
	8	Jonathan Looney reported that a malicious peer can force a sender
	9	to fragment its retransmit queue into tiny skbs, inflating memory
	10	usage and/or overflow 32bit counters.
	11
	12	TCP allows an application to queue up to sk_sndbuf bytes,
	13	so we need to give some allowance for non malicious splitting
	14	of retransmit queue.
	15
	16	A new SNMP counter is added to monitor how many times TCP
	17	did not allow to split an skb if the allowance was exceeded.
	18
	19	Note that this counter might increase in the case applications
	20	use SO_SNDBUF socket option to lower sk_sndbuf.
	21
	22	CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
	23	socket is already using more than half the allowed space
	24
	25	CVE: CVE-2019-11478
	26	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d]
	27
	28	Signed-off-by: Eric Dumazet <edumazet@google.com>
	29	Reported-by: Jonathan Looney <jtl@netflix.com>
	30	Acked-by: Neal Cardwell <ncardwell@google.com>
	31	Acked-by: Yuchung Cheng <ycheng@google.com>
	32	Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
	33	Cc: Bruce Curtis <brucec@netflix.com>
	34	Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
	35	Signed-off-by: David S. Miller <davem@davemloft.net>
	36	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	37	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	38	---
	39	include/uapi/linux/snmp.h \| 1 +
	40	net/ipv4/proc.c \| 1 +
	41	net/ipv4/tcp_output.c \| 5 +++++
	42	3 files changed, 7 insertions(+)
	43
	44	diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
	45	index 3442a26d36d9..56e3460d1f9f 100644
	46	--- a/include/uapi/linux/snmp.h
	47	+++ b/include/uapi/linux/snmp.h
	48	@@ -282,6 +282,7 @@ enum
	49	LINUX_MIB_TCPKEEPALIVE, /* TCPKeepAlive */
	50	LINUX_MIB_TCPMTUPFAIL, /* TCPMTUPFail */
	51	LINUX_MIB_TCPMTUPSUCCESS, /* TCPMTUPSuccess */
	52	+ LINUX_MIB_TCPWQUEUETOOBIG, /* TCPWqueueTooBig */
	53	__LINUX_MIB_MAX
	54	};
	55
	56	diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
	57	index ec48d8eafc7e..8b221398534b 100644
	58	--- a/net/ipv4/proc.c
	59	+++ b/net/ipv4/proc.c
	60	@@ -306,6 +306,7 @@ static const struct snmp_mib snmp4_net_list[] = {
	61	SNMP_MIB_ITEM("TCPKeepAlive", LINUX_MIB_TCPKEEPALIVE),
	62	SNMP_MIB_ITEM("TCPMTUPFail", LINUX_MIB_TCPMTUPFAIL),
	63	SNMP_MIB_ITEM("TCPMTUPSuccess", LINUX_MIB_TCPMTUPSUCCESS),
	64	+ SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG),
	65	SNMP_MIB_SENTINEL
	66	};
	67
	68	diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
	69	index 2f166662682e..123b2d8fde46 100644
	70	--- a/net/ipv4/tcp_output.c
	71	+++ b/net/ipv4/tcp_output.c
	72	@@ -1185,6 +1185,11 @@ int tcp_fragment(struct sock sk, struct sk_buff skb, u32 len,
	73	if (nsize < 0)
	74	nsize = 0;
	75
	76	+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
	77	+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
	78	+ return -ENOMEM;
	79	+ }
	80	+
	81	if (skb_unclone(skb, gfp))
	82	return -ENOMEM;
	83
	84	--
	85	2.20.1
	86