tcp: CVE-2019-11478

tcp: tcp_fragment() should apply sane memory limits tcp: refine memory limit test in tcp_fragment() References: https://nvd.nist.gov/vuln/detail/CVE-2019-11478 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5 Change-Id: Ie16affeda488857ce013ce3be578c05619aee446 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-07-10 11:20:38 +0200
committer: Adrian Stratulat <adrian.stratulat@enea.com> 2019-07-12 14:30:09 +0200
commit: f095fec9a8e21c24ebdc61341bed46d469bd1384 (patch)
tree: 2b71c04614e75e8252021fda0e046399e3285125 /patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
parent: 726a4b413d426f2209264501fe0f56c88588988f (diff)
download: enea-kernel-cache-f095fec9a8e21c24ebdc61341bed46d469bd1384.tar.gz
1 files changed, 86 insertions, 0 deletions
diff --git a/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
new file mode 100644
index 0000000..7d0c4f4
--- /dev/null
+++ b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
@@ -0,0 +1,86 @@
+From e358f4af19db46ca25cc9a8a78412b09ba98859d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 17:40:56 -0700
+Subject: [PATCH] tcp: tcp_fragment() should apply sane memory limits
+commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream.
+Jonathan Looney reported that a malicious peer can force a sender
+to fragment its retransmit queue into tiny skbs, inflating memory
+usage and/or overflow 32bit counters.
+TCP allows an application to queue up to sk_sndbuf bytes,
+so we need to give some allowance for non malicious splitting
+of retransmit queue.
+A new SNMP counter is added to monitor how many times TCP
+did not allow to split an skb if the allowance was exceeded.
+Note that this counter might increase in the case applications
+use SO_SNDBUF socket option to lower sk_sndbuf.
+CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
+        socket is already using more than half the allowed space
+CVE: CVE-2019-11478
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d]
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Jonathan Looney <jtl@netflix.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
+Cc: Bruce Curtis <brucec@netflix.com>
+Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ include/uapi/linux/snmp.h | 1 +
+ net/ipv4/proc.c           | 1 +
+ net/ipv4/tcp_output.c     | 5 +++++
+ 3 files changed, 7 insertions(+)
+diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
+index 3442a26d36d9..56e3460d1f9f 100644
+--- a/include/uapi/linux/snmp.h
+++ b/include/uapi/linux/snmp.h
+@@ -282,6 +282,7 @@ enum
+        LINUX_MIB_TCPKEEPALIVE,                 /* TCPKeepAlive */
+        LINUX_MIB_TCPMTUPFAIL,                  /* TCPMTUPFail */
+        LINUX_MIB_TCPMTUPSUCCESS,               /* TCPMTUPSuccess */
+       LINUX_MIB_TCPWQUEUETOOBIG,              /* TCPWqueueTooBig */
+        __LINUX_MIB_MAX
+ };
+ 
+diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
+index ec48d8eafc7e..8b221398534b 100644
+--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
+@@ -306,6 +306,7 @@ static const struct snmp_mib snmp4_net_list[] = {
+        SNMP_MIB_ITEM("TCPKeepAlive", LINUX_MIB_TCPKEEPALIVE),
+        SNMP_MIB_ITEM("TCPMTUPFail", LINUX_MIB_TCPMTUPFAIL),
+        SNMP_MIB_ITEM("TCPMTUPSuccess", LINUX_MIB_TCPMTUPSUCCESS),
+       SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG),
+        SNMP_MIB_SENTINEL
+ };
+ 
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 2f166662682e..123b2d8fde46 100644
+--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
+@@ -1185,6 +1185,11 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
+        if (nsize < 0)
+                nsize = 0;
+ 
+       if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
+               NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
+               return -ENOMEM;
+       }
+
+        if (skb_unclone(skb, gfp))
+                return -ENOMEM;
+ 
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-07-10 11:20:38 +0200
committer	Adrian Stratulat <adrian.stratulat@enea.com>	2019-07-12 14:30:09 +0200
commit	f095fec9a8e21c24ebdc61341bed46d469bd1384 (patch)
tree	2b71c04614e75e8252021fda0e046399e3285125 /patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
parent	726a4b413d426f2209264501fe0f56c88588988f (diff)
download	enea-kernel-cache-f095fec9a8e21c24ebdc61341bed46d469bd1384.tar.gz

diff --git a/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch new file mode 100644 index 0000000..7d0c4f4 --- /dev/null +++ b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch
@@ -0,0 +1,86 @@
	1	From e358f4af19db46ca25cc9a8a78412b09ba98859d Mon Sep 17 00:00:00 2001
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Sat, 15 Jun 2019 17:40:56 -0700
	4	Subject: [PATCH] tcp: tcp_fragment() should apply sane memory limits
	5
	6	commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream.
	7
	8	Jonathan Looney reported that a malicious peer can force a sender
	9	to fragment its retransmit queue into tiny skbs, inflating memory
	10	usage and/or overflow 32bit counters.
	11
	12	TCP allows an application to queue up to sk_sndbuf bytes,
	13	so we need to give some allowance for non malicious splitting
	14	of retransmit queue.
	15
	16	A new SNMP counter is added to monitor how many times TCP
	17	did not allow to split an skb if the allowance was exceeded.
	18
	19	Note that this counter might increase in the case applications
	20	use SO_SNDBUF socket option to lower sk_sndbuf.
	21
	22	CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
	23	socket is already using more than half the allowed space
	24
	25	CVE: CVE-2019-11478
	26	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d]
	27
	28	Signed-off-by: Eric Dumazet <edumazet@google.com>
	29	Reported-by: Jonathan Looney <jtl@netflix.com>
	30	Acked-by: Neal Cardwell <ncardwell@google.com>
	31	Acked-by: Yuchung Cheng <ycheng@google.com>
	32	Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
	33	Cc: Bruce Curtis <brucec@netflix.com>
	34	Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
	35	Signed-off-by: David S. Miller <davem@davemloft.net>
	36	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	37	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	38	---
	39	include/uapi/linux/snmp.h \| 1 +
	40	net/ipv4/proc.c \| 1 +
	41	net/ipv4/tcp_output.c \| 5 +++++
	42	3 files changed, 7 insertions(+)
	43
	44	diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h
	45	index 3442a26d36d9..56e3460d1f9f 100644
	46	--- a/include/uapi/linux/snmp.h
	47	+++ b/include/uapi/linux/snmp.h
	48	@@ -282,6 +282,7 @@ enum
	49	LINUX_MIB_TCPKEEPALIVE, /* TCPKeepAlive */
	50	LINUX_MIB_TCPMTUPFAIL, /* TCPMTUPFail */
	51	LINUX_MIB_TCPMTUPSUCCESS, /* TCPMTUPSuccess */
	52	+ LINUX_MIB_TCPWQUEUETOOBIG, /* TCPWqueueTooBig */
	53	__LINUX_MIB_MAX
	54	};
	55
	56	diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
	57	index ec48d8eafc7e..8b221398534b 100644
	58	--- a/net/ipv4/proc.c
	59	+++ b/net/ipv4/proc.c
	60	@@ -306,6 +306,7 @@ static const struct snmp_mib snmp4_net_list[] = {
	61	SNMP_MIB_ITEM("TCPKeepAlive", LINUX_MIB_TCPKEEPALIVE),
	62	SNMP_MIB_ITEM("TCPMTUPFail", LINUX_MIB_TCPMTUPFAIL),
	63	SNMP_MIB_ITEM("TCPMTUPSuccess", LINUX_MIB_TCPMTUPSUCCESS),
	64	+ SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG),
	65	SNMP_MIB_SENTINEL
	66	};
	67
	68	diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
	69	index 2f166662682e..123b2d8fde46 100644
	70	--- a/net/ipv4/tcp_output.c
	71	+++ b/net/ipv4/tcp_output.c
	72	@@ -1185,6 +1185,11 @@ int tcp_fragment(struct sock sk, struct sk_buff skb, u32 len,
	73	if (nsize < 0)
	74	nsize = 0;
	75
	76	+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) {
	77	+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
	78	+ return -ENOMEM;
	79	+ }
	80	+
	81	if (skb_unclone(skb, gfp))
	82	return -ENOMEM;
	83
	84	--
	85	2.20.1
	86