From: Greg Kroah-Hartman Date: Wed, 18 Mar 2020 17:00:12 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.217~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=45b17385b87098d527828f68793f5f85fd4be5a5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: batman-adv-avoid-probe-elp-information-leak.patch batman-adv-update-data-pointers-after-skb_cow.patch batman-adv-use-explicit-tvlv-padding-for-elp-packets.patch --- diff --git a/queue-4.9/batman-adv-avoid-probe-elp-information-leak.patch b/queue-4.9/batman-adv-avoid-probe-elp-information-leak.patch new file mode 100644 index 00000000000..e8a26519080 --- /dev/null +++ b/queue-4.9/batman-adv-avoid-probe-elp-information-leak.patch @@ -0,0 +1,50 @@ +From foo@baz Wed 18 Mar 2020 05:59:41 PM CET +From: Sven Eckelmann +Date: Tue, 17 Mar 2020 21:15:39 +0100 +Subject: batman-adv: Avoid probe ELP information leak +To: stable@vger.kernel.org +Cc: Sven Eckelmann , Antonio Quartulli , Simon Wunderlich +Message-ID: <20200317201540.23496-3-sven@narfation.org> + +From: Sven Eckelmann + +commit 88d0895d0ea9d4431507d576c963f2ff9918144d upstream. + +The probe ELPs for WiFi interfaces are expanded to contain at least +BATADV_ELP_MIN_PROBE_SIZE bytes. This is usually a lot more than the +number of bytes which the template ELP packet requires. + +These extra padding bytes were not initialized and thus could contain data +which were previously stored at the same location. It is therefore required +to set it to some predefined or random values to avoid leaking private +information from the system transmitting these kind of packets. + +Fixes: e4623c913508 ("batman-adv: Avoid probe ELP information leak") +Signed-off-by: Sven Eckelmann +Acked-by: Antonio Quartulli +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -191,6 +191,7 @@ batadv_v_elp_wifi_neigh_probe(struct bat + struct sk_buff *skb; + int probe_len, i; + int elp_skb_len; ++ void *tmp; + + /* this probing routine is for Wifi neighbours only */ + if (!batadv_is_wifi_netdev(hard_iface->net_dev)) +@@ -222,7 +223,8 @@ batadv_v_elp_wifi_neigh_probe(struct bat + * the packet to be exactly of that size to make the link + * throughput estimation effective. + */ +- skb_put(skb, probe_len - hard_iface->bat_v.elp_skb->len); ++ tmp = skb_put(skb, probe_len - hard_iface->bat_v.elp_skb->len); ++ memset(tmp, 0, probe_len - hard_iface->bat_v.elp_skb->len); + + batadv_dbg(BATADV_DBG_BATMAN, bat_priv, + "Sending unicast (probe) ELP packet on interface %s to %pM\n", diff --git a/queue-4.9/batman-adv-update-data-pointers-after-skb_cow.patch b/queue-4.9/batman-adv-update-data-pointers-after-skb_cow.patch new file mode 100644 index 00000000000..2ad576f6c8b --- /dev/null +++ b/queue-4.9/batman-adv-update-data-pointers-after-skb_cow.patch @@ -0,0 +1,48 @@ +From foo@baz Wed 18 Mar 2020 05:59:41 PM CET +From: Sven Eckelmann +Date: Tue, 17 Mar 2020 21:15:38 +0100 +Subject: batman-adv: update data pointers after skb_cow() +To: stable@vger.kernel.org +Cc: Matthias Schiffer , Sven Eckelmann +Message-ID: <20200317201540.23496-2-sven@narfation.org> + +From: Matthias Schiffer + +commit bc44b78157f621ff2a2618fe287a827bcb094ac4 upstream. + +batadv_check_unicast_ttvn() calls skb_cow(), so pointers into the SKB data +must be (re)set after calling it. The ethhdr variable is dropped +altogether. + +Fixes: 78fc6bbe0aca ("batman-adv: add UNICAST_4ADDR packet type") +Signed-off-by: Matthias Schiffer +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/routing.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -930,7 +930,6 @@ int batadv_recv_unicast_packet(struct sk + bool is4addr; + + unicast_packet = (struct batadv_unicast_packet *)skb->data; +- unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data; + + is4addr = unicast_packet->packet_type == BATADV_UNICAST_4ADDR; + /* the caller function should have already pulled 2 bytes */ +@@ -951,9 +950,13 @@ int batadv_recv_unicast_packet(struct sk + if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size)) + return NET_RX_DROP; + ++ unicast_packet = (struct batadv_unicast_packet *)skb->data; ++ + /* packet for me */ + if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) { + if (is4addr) { ++ unicast_4addr_packet = ++ (struct batadv_unicast_4addr_packet *)skb->data; + subtype = unicast_4addr_packet->subtype; + batadv_dat_inc_counter(bat_priv, subtype); + diff --git a/queue-4.9/batman-adv-use-explicit-tvlv-padding-for-elp-packets.patch b/queue-4.9/batman-adv-use-explicit-tvlv-padding-for-elp-packets.patch new file mode 100644 index 00000000000..4236a0347e8 --- /dev/null +++ b/queue-4.9/batman-adv-use-explicit-tvlv-padding-for-elp-packets.patch @@ -0,0 +1,64 @@ +From foo@baz Wed 18 Mar 2020 05:59:41 PM CET +From: Sven Eckelmann +Date: Tue, 17 Mar 2020 21:15:40 +0100 +Subject: batman-adv: Use explicit tvlv padding for ELP packets +To: stable@vger.kernel.org +Cc: "Sven Eckelmann" , "Linus Lüssing" , "Simon Wunderlich" +Message-ID: <20200317201540.23496-4-sven@narfation.org> + +From: Sven Eckelmann + +commit f4156f9656feac21f4de712fac94fae964c5d402 upstream. + +The announcement messages of batman-adv COMPAT_VERSION 15 have the +possibility to announce additional information via a dynamic TVLV part. +This part is optional for the ELP packets and currently not parsed by the +Linux implementation. Still out-of-tree versions are using it to transport +things like neighbor hashes to optimize the rebroadcast behavior. + +Since the ELP broadcast packets are smaller than the minimal ethernet +packet, it often has to be padded. This is often done (as specified in +RFC894) with octets of zero and thus work perfectly fine with the TVLV +part (making it a zero length and thus empty). But not all ethernet +compatible hardware seems to follow this advice. To avoid ambiguous +situations when parsing the TVLV header, just force the 4 bytes (TVLV +length + padding) after the required ELP header to zero. + +Fixes: d6f94d91f766 ("batman-adv: ELP - adding basic infrastructure") +Reported-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -335,21 +335,23 @@ out: + */ + int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface) + { ++ static const size_t tvlv_padding = sizeof(__be32); + struct batadv_elp_packet *elp_packet; + unsigned char *elp_buff; + u32 random_seqno; + size_t size; + int res = -ENOMEM; + +- size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN; ++ size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN + tvlv_padding; + hard_iface->bat_v.elp_skb = dev_alloc_skb(size); + if (!hard_iface->bat_v.elp_skb) + goto out; + + skb_reserve(hard_iface->bat_v.elp_skb, ETH_HLEN + NET_IP_ALIGN); +- elp_buff = skb_put(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN); ++ elp_buff = skb_put(hard_iface->bat_v.elp_skb, ++ BATADV_ELP_HLEN + tvlv_padding); + elp_packet = (struct batadv_elp_packet *)elp_buff; +- memset(elp_packet, 0, BATADV_ELP_HLEN); ++ memset(elp_packet, 0, BATADV_ELP_HLEN + tvlv_padding); + + elp_packet->packet_type = BATADV_ELP; + elp_packet->version = BATADV_COMPAT_VERSION; diff --git a/queue-4.9/series b/queue-4.9/series index 1344900afd7..5b9a248e010 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -72,3 +72,6 @@ batman-adv-fix-duplicated-ogms-on-netdev_up.patch batman-adv-avoid-free-alloc-race-when-handling-ogm2-buffer.patch batman-adv-avoid-free-alloc-race-when-handling-ogm-buffer.patch batman-adv-don-t-schedule-ogm-for-disabled-interface.patch +batman-adv-update-data-pointers-after-skb_cow.patch +batman-adv-avoid-probe-elp-information-leak.patch +batman-adv-use-explicit-tvlv-padding-for-elp-packets.patch