diff options
3 files changed, 133 insertions, 0 deletions
diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index 5230f7b..1e7be93 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc | |||
| @@ -81,3 +81,5 @@ patch CVE-2018-20836-scsi-libsas-fix-a-race-condition-when-smp-task-timeo.patch | |||
| 81 | 81 | ||
| 82 | #CVEs fixed in 4.9.182: | 82 | #CVEs fixed in 4.9.182: |
| 83 | patch CVE-2019-11477-tcp-limit-payload-size-of-sacked-skbs.patch | 83 | patch CVE-2019-11477-tcp-limit-payload-size-of-sacked-skbs.patch |
| 84 | patch CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch | ||
| 85 | patch CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch | ||
diff --git a/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch new file mode 100644 index 0000000..57bca2c --- /dev/null +++ b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch | |||
| @@ -0,0 +1,45 @@ | |||
| 1 | From caa51edc7e9606418611e68de624efbd0042adf5 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Eric Dumazet <edumazet@google.com> | ||
| 3 | Date: Fri, 21 Jun 2019 06:09:55 -0700 | ||
| 4 | Subject: [PATCH] tcp: refine memory limit test in tcp_fragment() | ||
| 5 | |||
| 6 | commit b6653b3629e5b88202be3c9abc44713973f5c4b4 upstream. | ||
| 7 | |||
| 8 | tcp_fragment() might be called for skbs in the write queue. | ||
| 9 | |||
| 10 | Memory limits might have been exceeded because tcp_sendmsg() only | ||
| 11 | checks limits at full skb (64KB) boundaries. | ||
| 12 | |||
| 13 | Therefore, we need to make sure tcp_fragment() wont punish applications | ||
| 14 | that might have setup very low SO_SNDBUF values. | ||
| 15 | |||
| 16 | CVE: CVE-2019-11478 | ||
| 17 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5] | ||
| 18 | |||
| 19 | Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits") | ||
| 20 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
| 21 | Reported-by: Christoph Paasch <cpaasch@apple.com> | ||
| 22 | Tested-by: Christoph Paasch <cpaasch@apple.com> | ||
| 23 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 24 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 25 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 26 | --- | ||
| 27 | net/ipv4/tcp_output.c | 2 +- | ||
| 28 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 29 | |||
| 30 | diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c | ||
| 31 | index d8c6b833f0ce..0c195b0f4216 100644 | ||
| 32 | --- a/net/ipv4/tcp_output.c | ||
| 33 | +++ b/net/ipv4/tcp_output.c | ||
| 34 | @@ -1185,7 +1185,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, | ||
| 35 | if (nsize < 0) | ||
| 36 | nsize = 0; | ||
| 37 | |||
| 38 | - if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) { | ||
| 39 | + if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) { | ||
| 40 | NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); | ||
| 41 | return -ENOMEM; | ||
| 42 | } | ||
| 43 | -- | ||
| 44 | 2.20.1 | ||
| 45 | |||
diff --git a/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch new file mode 100644 index 0000000..7d0c4f4 --- /dev/null +++ b/patches/cve/CVE-2019-11478-tcp-tcp_fragment-should-apply-sane-memory-limits.patch | |||
| @@ -0,0 +1,86 @@ | |||
| 1 | From e358f4af19db46ca25cc9a8a78412b09ba98859d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Eric Dumazet <edumazet@google.com> | ||
| 3 | Date: Sat, 15 Jun 2019 17:40:56 -0700 | ||
| 4 | Subject: [PATCH] tcp: tcp_fragment() should apply sane memory limits | ||
| 5 | |||
| 6 | commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream. | ||
| 7 | |||
| 8 | Jonathan Looney reported that a malicious peer can force a sender | ||
| 9 | to fragment its retransmit queue into tiny skbs, inflating memory | ||
| 10 | usage and/or overflow 32bit counters. | ||
| 11 | |||
| 12 | TCP allows an application to queue up to sk_sndbuf bytes, | ||
| 13 | so we need to give some allowance for non malicious splitting | ||
| 14 | of retransmit queue. | ||
| 15 | |||
| 16 | A new SNMP counter is added to monitor how many times TCP | ||
| 17 | did not allow to split an skb if the allowance was exceeded. | ||
| 18 | |||
| 19 | Note that this counter might increase in the case applications | ||
| 20 | use SO_SNDBUF socket option to lower sk_sndbuf. | ||
| 21 | |||
| 22 | CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the | ||
| 23 | socket is already using more than half the allowed space | ||
| 24 | |||
| 25 | CVE: CVE-2019-11478 | ||
| 26 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d] | ||
| 27 | |||
| 28 | Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
| 29 | Reported-by: Jonathan Looney <jtl@netflix.com> | ||
| 30 | Acked-by: Neal Cardwell <ncardwell@google.com> | ||
| 31 | Acked-by: Yuchung Cheng <ycheng@google.com> | ||
| 32 | Reviewed-by: Tyler Hicks <tyhicks@canonical.com> | ||
| 33 | Cc: Bruce Curtis <brucec@netflix.com> | ||
| 34 | Cc: Jonathan Lemon <jonathan.lemon@gmail.com> | ||
| 35 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 36 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 37 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 38 | --- | ||
| 39 | include/uapi/linux/snmp.h | 1 + | ||
| 40 | net/ipv4/proc.c | 1 + | ||
| 41 | net/ipv4/tcp_output.c | 5 +++++ | ||
| 42 | 3 files changed, 7 insertions(+) | ||
| 43 | |||
| 44 | diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h | ||
| 45 | index 3442a26d36d9..56e3460d1f9f 100644 | ||
| 46 | --- a/include/uapi/linux/snmp.h | ||
| 47 | +++ b/include/uapi/linux/snmp.h | ||
| 48 | @@ -282,6 +282,7 @@ enum | ||
| 49 | LINUX_MIB_TCPKEEPALIVE, /* TCPKeepAlive */ | ||
| 50 | LINUX_MIB_TCPMTUPFAIL, /* TCPMTUPFail */ | ||
| 51 | LINUX_MIB_TCPMTUPSUCCESS, /* TCPMTUPSuccess */ | ||
| 52 | + LINUX_MIB_TCPWQUEUETOOBIG, /* TCPWqueueTooBig */ | ||
| 53 | __LINUX_MIB_MAX | ||
| 54 | }; | ||
| 55 | |||
| 56 | diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c | ||
| 57 | index ec48d8eafc7e..8b221398534b 100644 | ||
| 58 | --- a/net/ipv4/proc.c | ||
| 59 | +++ b/net/ipv4/proc.c | ||
| 60 | @@ -306,6 +306,7 @@ static const struct snmp_mib snmp4_net_list[] = { | ||
| 61 | SNMP_MIB_ITEM("TCPKeepAlive", LINUX_MIB_TCPKEEPALIVE), | ||
| 62 | SNMP_MIB_ITEM("TCPMTUPFail", LINUX_MIB_TCPMTUPFAIL), | ||
| 63 | SNMP_MIB_ITEM("TCPMTUPSuccess", LINUX_MIB_TCPMTUPSUCCESS), | ||
| 64 | + SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG), | ||
| 65 | SNMP_MIB_SENTINEL | ||
| 66 | }; | ||
| 67 | |||
| 68 | diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c | ||
| 69 | index 2f166662682e..123b2d8fde46 100644 | ||
| 70 | --- a/net/ipv4/tcp_output.c | ||
| 71 | +++ b/net/ipv4/tcp_output.c | ||
| 72 | @@ -1185,6 +1185,11 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, | ||
| 73 | if (nsize < 0) | ||
| 74 | nsize = 0; | ||
| 75 | |||
| 76 | + if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) { | ||
| 77 | + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); | ||
| 78 | + return -ENOMEM; | ||
| 79 | + } | ||
| 80 | + | ||
| 81 | if (skb_unclone(skb, gfp)) | ||
| 82 | return -ENOMEM; | ||
| 83 | |||
| 84 | -- | ||
| 85 | 2.20.1 | ||
| 86 | |||