]> code.ossystems Code Review - meta-freescale.git/commitdiff
Code Review / meta-freescale.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 6a6c9c5)
sctp: CVE-2014-4667
authorSona Sarmadi <sona.sarmadi@enea.com>
Tue, 27 Jan 2015 13:04:10 +0000 (14:04 +0100)
committerZhenhua Luo <zhenhua.luo@freescale.com>
Tue, 3 Feb 2015 02:10:41 +0000 (10:10 +0800)
sk_ack_backlog wrap-around problem

Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4667

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch [new file with mode: 0644] patch | blob
meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb patch | blob | history

diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch b/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
new file mode 100644 (file)
index 0000000..e7b1228
--- /dev/null
+++ b/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-4667.patch
@@ -0,0 +1,51 @@
+From ddb638e68690ca61959775b262a5ef0719c5c066 Mon Sep 17 00:00:00 2001
+From: Xufeng Zhang <xufeng.zhang@windriver.com>
+Date: Thu, 12 Jun 2014 10:53:36 +0800
+Subject: [PATCH] sctp: Fix sk_ack_backlog wrap-around problem
+
+[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ]
+
+Consider the scenario:
+For a TCP-style socket, while processing the COOKIE_ECHO chunk in
+sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
+a new association would be created in sctp_unpack_cookie(), but afterwards,
+some processing maybe failed, and sctp_association_free() will be called to
+free the previously allocated association, in sctp_association_free(),
+sk_ack_backlog value is decremented for this socket, since the initial
+value for sk_ack_backlog is 0, after the decrement, it will be 65535,
+a wrap-around problem happens, and if we want to establish new associations
+afterward in the same socket, ABORT would be triggered since sctp deem the
+accept queue as full.
+Fix this issue by only decrementing sk_ack_backlog for associations in
+the endpoint's list.
+
+Fixes CVE-2014-4667
+Upstream-Status: Backport
+
+Fix-suggested-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
+Acked-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/sctp/associola.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c
+index cef5099..f6d6dcd 100644
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -375,7 +375,7 @@ void sctp_association_free(struct sctp_association *asoc)
+       /* Only real associations count against the endpoint, so
+        * don't bother for if this is a temporary association.
+        */
+-      if (!asoc->temp) {
++      if (!list_empty(&asoc->asocs)) {
+               list_del(&asoc->asocs);
+               /* Decrement the backlog value for a TCP-style listening
+-- 
+1.9.1
+
diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
index 90ccedd9160b3ca33607d45ec5b92ccaec25c785..2cd8ce9f697c2ccb0b70936d24cfb84bd9132771 100644 (file)
--- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -25,6 +25,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://auditsc-CVE-2014-3917.patch \
     file://0001-ALSA-CVE-2014-4652.patch \
     file://0002-ALSA-CVE-2014-4653.patch \
+    file://sctp-CVE-2014-4667.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"