From c64913cec5cbf78e96771dfe76f14fc7cdd981b7 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 29 Sep 2017 12:28:03 +0200 Subject: linux-cavium: CVE-2017-5986 Reachable BUG_ON from userspace in sctp_wait_for_sndbuf Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-5986 Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../linux/linux-cavium/CVE-2017-5986.patch | 46 ++++++++++++++++++++++ recipes-kernel/linux/linux-cavium_4.9.inc | 1 + 2 files changed, 47 insertions(+) create mode 100644 recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch diff --git a/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch b/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch new file mode 100644 index 0000000..6750cd5 --- /dev/null +++ b/recipes-kernel/linux/linux-cavium/CVE-2017-5986.patch @@ -0,0 +1,46 @@ +From 00eff2ebbd229758e90659907724c14dd5a18339 Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner +Date: Mon, 6 Feb 2017 18:10:31 -0200 +Subject: [PATCH] sctp: avoid BUG_ON on sctp_wait_for_sndbuf + +[ Upstream commit 2dcab598484185dea7ec22219c76dcdd59e3cb90 ] + +Alexander Popov reported that an application may trigger a BUG_ON in +sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is +waiting on it to queue more data and meanwhile another thread peels off +the association being used by the first thread. + +This patch replaces the BUG_ON call with a proper error handling. It +will return -EPIPE to the original sendmsg call, similarly to what would +have been done if the association wasn't found in the first place. + +CVE: CVE-2017-5986 +Upstream-Status: Backport [from kernel.org longterm 4.9.52] + +Acked-by: Alexander Popov +Signed-off-by: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + net/sctp/socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index ca12aa3..6cbe5bd 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7427,7 +7427,8 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + */ + release_sock(sk); + current_timeo = schedule_timeout(current_timeo); +- BUG_ON(sk != asoc->base.sk); ++ if (sk != asoc->base.sk) ++ goto do_error; + lock_sock(sk); + + *timeo_p = current_timeo; +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-cavium_4.9.inc b/recipes-kernel/linux/linux-cavium_4.9.inc index fc1a341..6aa43f4 100644 --- a/recipes-kernel/linux/linux-cavium_4.9.inc +++ b/recipes-kernel/linux/linux-cavium_4.9.inc @@ -21,6 +21,7 @@ SRC_URI = "git://git@git.enea.com/linux/linux-cavium.git;protocol=ssh;name=machi file://CVE-2017-5577.patch \ file://CVE-2017-5669.patch \ file://CVE-2017-5970.patch \ + file://CVE-2017-5986.patch \ file://CVE-2017-7487.patch \ file://CVE-2017-7618.patch \ file://CVE-2017-7645.patch \ -- cgit v1.2.3-54-g00ecf