Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
kernel: udp: properly support MSG_PEEK with truncated buffers (#1097)
Add upstream patch to fix CVE-2016-10229
- Loading branch information
Showing
with
109 additions
and 0 deletions.
@@ -0,0 +1,109 @@ | ||
From: Jan Niehusmann <jan@gondor.com> | ||
Date: Fri, 14 Apr 2017 21:26:27 +0200 | ||
Subject: udp: properly support MSG_PEEK with truncated buffers | ||
|
||
Add upstream patch to fix CVE-2016-10229 | ||
|
||
diff --git a/target/linux/generic/patches-3.18/001-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch b/target/linux/generic/patches-3.18/001-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch | ||
new file mode 100644 | ||
index 0000000000000000000000000000000000000000..16edc8c8da4ce8edf3ce1b5c2a56d543f9658897 | ||
--- /dev/null | ||
+++ b/target/linux/generic/patches-3.18/001-udp-properly-support-MSG_PEEK-with-truncated-buffers.patch | ||
@@ -0,0 +1,97 @@ | ||
+From 69335972b1c1c9bd7597fc6080b6eb1bd3fbf774 Mon Sep 17 00:00:00 2001 | ||
+From: Eric Dumazet <edumazet@google.com> | ||
+Date: Wed, 30 Dec 2015 08:51:12 -0500 | ||
+Subject: [PATCH] udp: properly support MSG_PEEK with truncated buffers | ||
+ | ||
+[ Upstream commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 ] | ||
+ | ||
+Backport of this upstream commit into stable kernels : | ||
+89c22d8c3b27 ("net: Fix skb csum races when peeking") | ||
+exposed a bug in udp stack vs MSG_PEEK support, when user provides | ||
+a buffer smaller than skb payload. | ||
+ | ||
+In this case, | ||
+skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), | ||
+ msg->msg_iov); | ||
+returns -EFAULT. | ||
+ | ||
+This bug does not happen in upstream kernels since Al Viro did a great | ||
+job to replace this into : | ||
+skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); | ||
+This variant is safe vs short buffers. | ||
+ | ||
+For the time being, instead reverting Herbert Xu patch and add back | ||
+skb->ip_summed invalid changes, simply store the result of | ||
+udp_lib_checksum_complete() so that we avoid computing the checksum a | ||
+second time, and avoid the problematic | ||
+skb_copy_and_csum_datagram_iovec() call. | ||
+ | ||
+This patch can be applied on recent kernels as it avoids a double | ||
+checksumming, then backported to stable kernels as a bug fix. | ||
+ | ||
+Signed-off-by: Eric Dumazet <edumazet@google.com> | ||
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au> | ||
+Signed-off-by: David S. Miller <davem@davemloft.net> | ||
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com> | ||
+--- | ||
+ net/ipv4/udp.c | 6 ++++-- | ||
+ net/ipv6/udp.c | 6 ++++-- | ||
+ 2 files changed, 8 insertions(+), 4 deletions(-) | ||
+ | ||
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c | ||
+index 2a5d388..ee26711 100644 | ||
+--- a/net/ipv4/udp.c | ||
++++ b/net/ipv4/udp.c | ||
+@@ -1252,6 +1252,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, | ||
+ int peeked, off = 0; | ||
+ int err; | ||
+ int is_udplite = IS_UDPLITE(sk); | ||
++ bool checksum_valid = false; | ||
+ bool slow; | ||
+ | ||
+ if (flags & MSG_ERRQUEUE) | ||
+@@ -1277,11 +1278,12 @@ try_again: | ||
+ */ | ||
+ | ||
+ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { | ||
+- if (udp_lib_checksum_complete(skb)) | ||
++ checksum_valid = !udp_lib_checksum_complete(skb); | ||
++ if (!checksum_valid) | ||
+ goto csum_copy_err; | ||
+ } | ||
+ | ||
+- if (skb_csum_unnecessary(skb)) | ||
++ if (checksum_valid || skb_csum_unnecessary(skb)) | ||
+ err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr), | ||
+ msg->msg_iov, copied); | ||
+ else { | ||
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c | ||
+index 7d01116..143e6c7 100644 | ||
+--- a/net/ipv6/udp.c | ||
++++ b/net/ipv6/udp.c | ||
+@@ -388,6 +388,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, | ||
+ int peeked, off = 0; | ||
+ int err; | ||
+ int is_udplite = IS_UDPLITE(sk); | ||
++ bool checksum_valid = false; | ||
+ int is_udp4; | ||
+ bool slow; | ||
+ | ||
+@@ -419,11 +420,12 @@ try_again: | ||
+ */ | ||
+ | ||
+ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { | ||
+- if (udp_lib_checksum_complete(skb)) | ||
++ checksum_valid = !udp_lib_checksum_complete(skb); | ||
++ if (!checksum_valid) | ||
+ goto csum_copy_err; | ||
+ } | ||
+ | ||
+- if (skb_csum_unnecessary(skb)) | ||
++ if (checksum_valid || skb_csum_unnecessary(skb)) | ||
+ err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr), | ||
+ msg->msg_iov, copied); | ||
+ else { | ||
+-- | ||
+2.1.4 | ||
+ |