1 files changed, 142 insertions, 0 deletions
diff --git a/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch b/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch
new file mode 100644
index 0000000..9cb6467
--- /dev/null
+++ b/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch
@@ -0,0 +1,142 @@
+From 8e39cbc03dafa3731d22533f869bf326c0e6e6f8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 17:44:24 -0700
+Subject: [PATCH] tcp: add tcp_min_snd_mss sysctl
+commit 5f3e2bf008c2221478101ee72f5cb4654b9fc363 upstream.
+Some TCP peers announce a very small MSS option in their SYN and/or
+SYN/ACK messages.
+This forces the stack to send packets with a very high network/cpu
+overhead.
+Linux has enforced a minimal value of 48. Since this value includes
+the size of TCP options, and that the options can consume up to 40
+bytes, this means that each segment can include only 8 bytes of payload.
+In some cases, it can be useful to increase the minimal value
+to a saner value.
+We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility
+reasons.
+Note that TCP_MAXSEG socket option enforces a minimal value
+of (TCP_MIN_MSS). David Miller increased this minimal value
+in commit c39508d6f118 ("tcp: Make TCP_MAXSEG minimum more correct.")
+from 64 to 88.
+We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS.
+CVE-2019-11479 -- tcp mss hardcoded to 48
+CVE: CVE-2019-11479
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=8e39cbc03dafa3731d22533f869bf326c0e6e6f8]
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Suggested-by: Jonathan Looney <jtl@netflix.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Tyler Hicks <tyhicks@canonical.com>
+Cc: Bruce Curtis <brucec@netflix.com>
+Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ Documentation/networking/ip-sysctl.txt |  8 ++++++++
+ include/net/netns/ipv4.h               |  1 +
+ net/ipv4/sysctl_net_ipv4.c             | 11 +++++++++++
+ net/ipv4/tcp_ipv4.c                    |  1 +
+ net/ipv4/tcp_output.c                  |  3 +--
+ 5 files changed, 22 insertions(+), 2 deletions(-)
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index 0335285f3918..49935d5bb5c6 100644
+--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
+@@ -230,6 +230,14 @@ tcp_base_mss - INTEGER
+        Path MTU discovery (MTU probing).  If MTU probing is enabled,
+        this is the initial MSS used by the connection.
+ 
+tcp_min_snd_mss - INTEGER
+       TCP SYN and SYNACK messages usually advertise an ADVMSS option,
+       as described in RFC 1122 and RFC 6691.
+       If this ADVMSS option is smaller than tcp_min_snd_mss,
+       it is silently capped to tcp_min_snd_mss.
+
+       Default : 48 (at least 8 bytes of payload per segment)
+
+ tcp_congestion_control - STRING
+        Set the congestion control algorithm to be used for new
+        connections. The algorithm "reno" is always available, but
+diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
+index 7adf4386ac8f..bf619a67ec03 100644
+--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
+@@ -94,6 +94,7 @@ struct netns_ipv4 {
+ #endif
+        int sysctl_tcp_mtu_probing;
+        int sysctl_tcp_base_mss;
+       int sysctl_tcp_min_snd_mss;
+        int sysctl_tcp_probe_threshold;
+        u32 sysctl_tcp_probe_interval;
+ 
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index 85713adf2770..e202babb14d6 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -35,6 +35,8 @@ static int ip_local_port_range_min[] = { 1, 1 };
+ static int ip_local_port_range_max[] = { 65535, 65535 };
+ static int tcp_adv_win_scale_min = -31;
+ static int tcp_adv_win_scale_max = 31;
+static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS;
+static int tcp_min_snd_mss_max = 65535;
+ static int ip_ttl_min = 1;
+ static int ip_ttl_max = 255;
+ static int tcp_syn_retries_min = 1;
+@@ -838,6 +840,15 @@ static struct ctl_table ipv4_net_table[] = {
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
+       {
+               .procname       = "tcp_min_snd_mss",
+               .data           = &init_net.ipv4.sysctl_tcp_min_snd_mss,
+               .maxlen         = sizeof(int),
+               .mode           = 0644,
+               .proc_handler   = proc_dointvec_minmax,
+               .extra1         = &tcp_min_snd_mss_min,
+               .extra2         = &tcp_min_snd_mss_max,
+       },
+        {
+                .procname       = "tcp_probe_threshold",
+                .data           = &init_net.ipv4.sysctl_tcp_probe_threshold,
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 82c1064ff4aa..848f2c1da8a5 100644
+--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
+@@ -2456,6 +2456,7 @@ static int __net_init tcp_sk_init(struct net *net)
+        net->ipv4.sysctl_tcp_ecn_fallback = 1;
+ 
+        net->ipv4.sysctl_tcp_base_mss = TCP_BASE_MSS;
+       net->ipv4.sysctl_tcp_min_snd_mss = TCP_MIN_SND_MSS;
+        net->ipv4.sysctl_tcp_probe_threshold = TCP_PROBE_THRESHOLD;
+        net->ipv4.sysctl_tcp_probe_interval = TCP_PROBE_INTERVAL;
+ 
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 123b2d8fde46..d8c6b833f0ce 100644
+--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
+@@ -1360,8 +1360,7 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, int pmtu)
+        mss_now -= icsk->icsk_ext_hdr_len;
+ 
+        /* Then reserve room for full set of TCP options and 8 bytes of data */
+-       if (mss_now < TCP_MIN_SND_MSS)
+-               mss_now = TCP_MIN_SND_MSS;
+       mss_now = max(mss_now, sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss);
+        return mss_now;
+ }
+ 
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch b/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch new file mode 100644 index 0000000..9cb6467 --- /dev/null +++ b/patches/cve/CVE-2019-11479-tcp-add-tcp_min_snd_mss-sysctl.patch
@@ -0,0 +1,142 @@
	1	From 8e39cbc03dafa3731d22533f869bf326c0e6e6f8 Mon Sep 17 00:00:00 2001
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Sat, 15 Jun 2019 17:44:24 -0700
	4	Subject: [PATCH] tcp: add tcp_min_snd_mss sysctl
	5
	6	commit 5f3e2bf008c2221478101ee72f5cb4654b9fc363 upstream.
	7
	8	Some TCP peers announce a very small MSS option in their SYN and/or
	9	SYN/ACK messages.
	10
	11	This forces the stack to send packets with a very high network/cpu
	12	overhead.
	13
	14	Linux has enforced a minimal value of 48. Since this value includes
	15	the size of TCP options, and that the options can consume up to 40
	16	bytes, this means that each segment can include only 8 bytes of payload.
	17
	18	In some cases, it can be useful to increase the minimal value
	19	to a saner value.
	20
	21	We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility
	22	reasons.
	23
	24	Note that TCP_MAXSEG socket option enforces a minimal value
	25	of (TCP_MIN_MSS). David Miller increased this minimal value
	26	in commit c39508d6f118 ("tcp: Make TCP_MAXSEG minimum more correct.")
	27	from 64 to 88.
	28
	29	We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS.
	30
	31	CVE-2019-11479 -- tcp mss hardcoded to 48
	32
	33	CVE: CVE-2019-11479
	34	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=8e39cbc03dafa3731d22533f869bf326c0e6e6f8]
	35
	36	Signed-off-by: Eric Dumazet <edumazet@google.com>
	37	Suggested-by: Jonathan Looney <jtl@netflix.com>
	38	Acked-by: Neal Cardwell <ncardwell@google.com>
	39	Cc: Yuchung Cheng <ycheng@google.com>
	40	Cc: Tyler Hicks <tyhicks@canonical.com>
	41	Cc: Bruce Curtis <brucec@netflix.com>
	42	Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
	43	Signed-off-by: David S. Miller <davem@davemloft.net>
	44	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	45	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	46	---
	47	Documentation/networking/ip-sysctl.txt \| 8 ++++++++
	48	include/net/netns/ipv4.h \| 1 +
	49	net/ipv4/sysctl_net_ipv4.c \| 11 +++++++++++
	50	net/ipv4/tcp_ipv4.c \| 1 +
	51	net/ipv4/tcp_output.c \| 3 +--
	52	5 files changed, 22 insertions(+), 2 deletions(-)
	53
	54	diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
	55	index 0335285f3918..49935d5bb5c6 100644
	56	--- a/Documentation/networking/ip-sysctl.txt
	57	+++ b/Documentation/networking/ip-sysctl.txt
	58	@@ -230,6 +230,14 @@ tcp_base_mss - INTEGER
	59	Path MTU discovery (MTU probing). If MTU probing is enabled,
	60	this is the initial MSS used by the connection.
	61
	62	+tcp_min_snd_mss - INTEGER
	63	+ TCP SYN and SYNACK messages usually advertise an ADVMSS option,
	64	+ as described in RFC 1122 and RFC 6691.
	65	+ If this ADVMSS option is smaller than tcp_min_snd_mss,
	66	+ it is silently capped to tcp_min_snd_mss.
	67	+
	68	+ Default : 48 (at least 8 bytes of payload per segment)
	69	+
	70	tcp_congestion_control - STRING
	71	Set the congestion control algorithm to be used for new
	72	connections. The algorithm "reno" is always available, but
	73	diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
	74	index 7adf4386ac8f..bf619a67ec03 100644
	75	--- a/include/net/netns/ipv4.h
	76	+++ b/include/net/netns/ipv4.h
	77	@@ -94,6 +94,7 @@ struct netns_ipv4 {
	78	#endif
	79	int sysctl_tcp_mtu_probing;
	80	int sysctl_tcp_base_mss;
	81	+ int sysctl_tcp_min_snd_mss;
	82	int sysctl_tcp_probe_threshold;
	83	u32 sysctl_tcp_probe_interval;
	84
	85	diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
	86	index 85713adf2770..e202babb14d6 100644
	87	--- a/net/ipv4/sysctl_net_ipv4.c
	88	+++ b/net/ipv4/sysctl_net_ipv4.c
	89	@@ -35,6 +35,8 @@ static int ip_local_port_range_min[] = { 1, 1 };
	90	static int ip_local_port_range_max[] = { 65535, 65535 };
	91	static int tcp_adv_win_scale_min = -31;
	92	static int tcp_adv_win_scale_max = 31;
	93	+static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS;
	94	+static int tcp_min_snd_mss_max = 65535;
	95	static int ip_ttl_min = 1;
	96	static int ip_ttl_max = 255;
	97	static int tcp_syn_retries_min = 1;
	98	@@ -838,6 +840,15 @@ static struct ctl_table ipv4_net_table[] = {
	99	.mode = 0644,
	100	.proc_handler = proc_dointvec,
	101	},
	102	+ {
	103	+ .procname = "tcp_min_snd_mss",
	104	+ .data = &init_net.ipv4.sysctl_tcp_min_snd_mss,
	105	+ .maxlen = sizeof(int),
	106	+ .mode = 0644,
	107	+ .proc_handler = proc_dointvec_minmax,
	108	+ .extra1 = &tcp_min_snd_mss_min,
	109	+ .extra2 = &tcp_min_snd_mss_max,
	110	+ },
	111	{
	112	.procname = "tcp_probe_threshold",
	113	.data = &init_net.ipv4.sysctl_tcp_probe_threshold,
	114	diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
	115	index 82c1064ff4aa..848f2c1da8a5 100644
	116	--- a/net/ipv4/tcp_ipv4.c
	117	+++ b/net/ipv4/tcp_ipv4.c
	118	@@ -2456,6 +2456,7 @@ static int __net_init tcp_sk_init(struct net *net)
	119	net->ipv4.sysctl_tcp_ecn_fallback = 1;
	120
	121	net->ipv4.sysctl_tcp_base_mss = TCP_BASE_MSS;
	122	+ net->ipv4.sysctl_tcp_min_snd_mss = TCP_MIN_SND_MSS;
	123	net->ipv4.sysctl_tcp_probe_threshold = TCP_PROBE_THRESHOLD;
	124	net->ipv4.sysctl_tcp_probe_interval = TCP_PROBE_INTERVAL;
	125
	126	diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
	127	index 123b2d8fde46..d8c6b833f0ce 100644
	128	--- a/net/ipv4/tcp_output.c
	129	+++ b/net/ipv4/tcp_output.c
	130	@@ -1360,8 +1360,7 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, int pmtu)
	131	mss_now -= icsk->icsk_ext_hdr_len;
	132
	133	/* Then reserve room for full set of TCP options and 8 bytes of data */
	134	- if (mss_now < TCP_MIN_SND_MSS)
	135	- mss_now = TCP_MIN_SND_MSS;
	136	+ mss_now = max(mss_now, sock_net(sk)->ipv4.sysctl_tcp_min_snd_mss);
	137	return mss_now;
	138	}
	139
	140	--
	141	2.20.1
	142