2 files changed, 86 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch b/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch
new file mode 100644
index 0000000..0c4beb3
--- /dev/null
+++ b/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch
@@ -0,0 +1,85 @@
+From 4008f1dbe6fea8114e7f79ed2d238e369dc9138f Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon, 10 Nov 2014 17:54:26 +0100
+Subject: [PATCH] net: sctp: fix NULL pointer dereference in
+ af->from_addr_param on malformed packet
+[ Upstream commit e40607cbe270a9e8360907cb1e62ddf0736e4864 ]
+An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
+in the form of:
+  ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
+While the INIT chunk parameter verification dissects through many things
+in order to detect malformed input, it misses to actually check parameters
+inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
+IP address' parameter in ASCONF, which has as a subparameter an address
+parameter.
+So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
+or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
+and thus sctp_get_af_specific() returns NULL, too, which we then happily
+dereference unconditionally through af->from_addr_param().
+The trace for the log:
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
+IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
+PGD 0
+Oops: 0000 [#1] SMP
+[...]
+Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
+RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
+[...]
+Call Trace:
+ <IRQ>
+ [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
+ [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
+ [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
+ [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
+ [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
+ [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
+ [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
+ [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
+ [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
+ [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
+ [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
+ [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
+[...]
+A minimal way to address this is to check for NULL as we do on all
+other such occasions where we know sctp_get_af_specific() could
+possibly return with NULL.
+Fix for CVE-2014-7841
+Upstream-Status: Backport
+Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/sctp/sm_make_chunk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index 1e06f3b..e342387 100644
+--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
+@@ -2622,6 +2622,9 @@ do_addr_param:
+                addr_param = param.v + sizeof(sctp_addip_param_t);
+ 
+                af = sctp_get_af_specific(param_type2af(param.p->type));
+               if (af == NULL)
+                       break;
+
+                af->from_addr_param(&addr, addr_param,
+                                    htons(asoc->peer.port), 0);
+ 
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 2cd8ce9..5c67dc3 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://0001-ALSA-CVE-2014-4652.patch \
    file://0002-ALSA-CVE-2014-4653.patch \
    file://sctp-CVE-2014-4667.patch \
+    file://sctp-CVE-2014-7841.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"

diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch b/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch new file mode 100644 index 0000000..0c4beb3 --- /dev/null +++ b/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch
@@ -0,0 +1,85 @@
		1	From 4008f1dbe6fea8114e7f79ed2d238e369dc9138f Mon Sep 17 00:00:00 2001
		2	From: Daniel Borkmann <dborkman@redhat.com>
		3	Date: Mon, 10 Nov 2014 17:54:26 +0100
		4	Subject: [PATCH] net: sctp: fix NULL pointer dereference in
		5	af->from_addr_param on malformed packet
		6
		7	[ Upstream commit e40607cbe270a9e8360907cb1e62ddf0736e4864 ]
		8
		9	An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
		10	in the form of:
		11
		12	------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
		13
		14	While the INIT chunk parameter verification dissects through many things
		15	in order to detect malformed input, it misses to actually check parameters
		16	inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
		17	IP address' parameter in ASCONF, which has as a subparameter an address
		18	parameter.
		19
		20	So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
		21	or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
		22	and thus sctp_get_af_specific() returns NULL, too, which we then happily
		23	dereference unconditionally through af->from_addr_param().
		24
		25	The trace for the log:
		26
		27	BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
		28	IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
		29	PGD 0
		30	Oops: 0000 [#1] SMP
		31	[...]
		32	Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
		33	RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
		34	[...]
		35	Call Trace:
		36	<IRQ>
		37	[<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
		38	[<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
		39	[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
		40	[<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
		41	[<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
		42	[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
		43	[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
		44	[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
		45	[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
		46	[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
		47	[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
		48	[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
		49	[...]
		50
		51	A minimal way to address this is to check for NULL as we do on all
		52	other such occasions where we know sctp_get_af_specific() could
		53	possibly return with NULL.
		54
		55	Fix for CVE-2014-7841
		56	Upstream-Status: Backport
		57
		58	Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
		59	Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
		60	Cc: Vlad Yasevich <vyasevich@gmail.com>
		61	Acked-by: Neil Horman <nhorman@tuxdriver.com>
		62	Signed-off-by: David S. Miller <davem@davemloft.net>
		63	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		64	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		65	---
		66	net/sctp/sm_make_chunk.c \| 3 +++
		67	1 file changed, 3 insertions(+)
		68
		69	diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
		70	index 1e06f3b..e342387 100644
		71	--- a/net/sctp/sm_make_chunk.c
		72	+++ b/net/sctp/sm_make_chunk.c
		73	@@ -2622,6 +2622,9 @@ do_addr_param:
		74	addr_param = param.v + sizeof(sctp_addip_param_t);
		75
		76	af = sctp_get_af_specific(param_type2af(param.p->type));
		77	+ if (af == NULL)
		78	+ break;
		79	+
		80	af->from_addr_param(&addr, addr_param,
		81	htons(asoc->peer.port), 0);
		82
		83	--
		84	1.9.1
		85


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 2cd8ce9..5c67dc3 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
26	file://0001-ALSA-CVE-2014-4652.patch \	26	file://0001-ALSA-CVE-2014-4652.patch \
27	file://0002-ALSA-CVE-2014-4653.patch \	27	file://0002-ALSA-CVE-2014-4653.patch \
28	file://sctp-CVE-2014-4667.patch \	28	file://sctp-CVE-2014-4667.patch \
		29	file://sctp-CVE-2014-7841.patch \
29	"	30	"
30	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	31	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
31		32