From 427e88c46aab55b5291fecf4fbb317c7d60ca8c9 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Wed, 10 Jul 2019 15:10:41 +0200 Subject: tcp: CVE-2019-11478 tcp: tcp_fragment() should apply sane memory limits tcp: refine memory limit test in tcp_fragment() References: https://nvd.nist.gov/vuln/detail/CVE-2019-11478 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e358f4af19db46ca25cc9a8a78412b09ba98859d https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5 Change-Id: I9630c20a11d9a92095d475f2a6d27e627fd7bbff Signed-off-by: Andreas Wellving --- ...-refine-memory-limit-test-in-tcp_fragment.patch | 45 ++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch (limited to 'patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch') diff --git a/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch new file mode 100644 index 0000000..57bca2c --- /dev/null +++ b/patches/cve/CVE-2019-11478-tcp-refine-memory-limit-test-in-tcp_fragment.patch @@ -0,0 +1,45 @@ +From caa51edc7e9606418611e68de624efbd0042adf5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 21 Jun 2019 06:09:55 -0700 +Subject: [PATCH] tcp: refine memory limit test in tcp_fragment() + +commit b6653b3629e5b88202be3c9abc44713973f5c4b4 upstream. + +tcp_fragment() might be called for skbs in the write queue. + +Memory limits might have been exceeded because tcp_sendmsg() only +checks limits at full skb (64KB) boundaries. + +Therefore, we need to make sure tcp_fragment() wont punish applications +that might have setup very low SO_SNDBUF values. + +CVE: CVE-2019-11478 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=caa51edc7e9606418611e68de624efbd0042adf5] + +Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits") +Signed-off-by: Eric Dumazet +Reported-by: Christoph Paasch +Tested-by: Christoph Paasch +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Andreas Wellving +--- + net/ipv4/tcp_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index d8c6b833f0ce..0c195b0f4216 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1185,7 +1185,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, + if (nsize < 0) + nsize = 0; + +- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) { ++ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf + 0x20000)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); + return -ENOMEM; + } +-- +2.20.1 + -- cgit v1.2.3-54-g00ecf