From: Greg Kroah-Hartman Date: Mon, 14 Apr 2014 22:33:11 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.13.11~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=89ffa559048855d9a25204ac45e25a19e02301f5;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: bridge-multicast-add-sanity-check-for-query-source-addresses.patch ipv6-avoid-unnecessary-temporary-addresses-being-generated.patch ipv6-don-t-set-dst_nocount-for-remotely-added-routes.patch ipv6-ip6_append_data_mtu-do-not-handle-the-mtu-of-the-second-fragment-properly.patch ipv6-some-ipv6-statistic-counters-failed-to-disable-bh.patch isdnloop-several-buffer-overflows.patch isdnloop-validate-nul-terminated-strings-from-user.patch netlink-don-t-compare-the-nul-termination-in-nla_strcmp.patch net-sctp-fix-skb-leakage-in-cookie-echo-path-of-chunk-auth_chunk.patch net-socket-error-on-a-negative-msg_namelen.patch net-unix-non-blocking-recvmsg-should-not-return-eintr.patch rds-prevent-dereference-of-a-null-device-in-rds_iw_laddr_check.patch vhost-fix-total-length-when-packets-are-too-short.patch vhost-validate-vhost_get_vq_desc-return-value.patch vlan-set-correct-source-mac-address-with-tx-vlan-offload-enabled.patch xen-netback-remove-pointless-clause-from-if-statement.patch --- diff --git a/queue-3.4/bridge-multicast-add-sanity-check-for-query-source-addresses.patch b/queue-3.4/bridge-multicast-add-sanity-check-for-query-source-addresses.patch new file mode 100644 index 00000000000..b7feb6b2972 --- /dev/null +++ b/queue-3.4/bridge-multicast-add-sanity-check-for-query-source-addresses.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Linus Lüssing +Date: Tue, 4 Mar 2014 03:57:35 +0100 +Subject: bridge: multicast: add sanity check for query source addresses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 6565b9eeef194afbb3beec80d6dd2447f4091f8c ] + +MLD queries are supposed to have an IPv6 link-local source address +according to RFC2710, section 4 and RFC3810, section 5.1.14. This patch +adds a sanity check to ignore such broken MLD queries. + +Without this check, such malformed MLD queries can result in a +denial of service: The queries are ignored by any MLD listener +therefore they will not respond with an MLD report. However, +without this patch these malformed MLD queries would enable the +snooping part in the bridge code, potentially shutting down the +according ports towards these hosts for multicast traffic as the +bridge did not learn about these listeners. + +Reported-by: Jan Stancek +Signed-off-by: Linus Lüssing +Reviewed-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_multicast.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1138,6 +1138,12 @@ static int br_ip6_multicast_query(struct + + br_multicast_query_received(br, port, !ipv6_addr_any(&ip6h->saddr)); + ++ /* RFC2710+RFC3810 (MLDv1+MLDv2) require link-local source addresses */ ++ if (!(ipv6_addr_type(&ip6h->saddr) & IPV6_ADDR_LINKLOCAL)) { ++ err = -EINVAL; ++ goto out; ++ } ++ + if (skb->len == sizeof(*mld)) { + if (!pskb_may_pull(skb, sizeof(*mld))) { + err = -EINVAL; diff --git a/queue-3.4/ipv6-avoid-unnecessary-temporary-addresses-being-generated.patch b/queue-3.4/ipv6-avoid-unnecessary-temporary-addresses-being-generated.patch new file mode 100644 index 00000000000..9d226c065a7 --- /dev/null +++ b/queue-3.4/ipv6-avoid-unnecessary-temporary-addresses-being-generated.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Heiner Kallweit +Date: Wed, 12 Mar 2014 22:13:19 +0100 +Subject: ipv6: Avoid unnecessary temporary addresses being generated + +From: Heiner Kallweit + +[ Upstream commit ecab67015ef6e3f3635551dcc9971cf363cc1cd5 ] + +tmp_prefered_lft is an offset to ifp->tstamp, not now. Therefore +age needs to be added to the condition. + +Age calculation in ipv6_create_tempaddr is different from the one +in addrconf_verify and doesn't consider ADDRCONF_TIMER_FUZZ_MINUS. +This can cause age in ipv6_create_tempaddr to be less than the one +in addrconf_verify and therefore unnecessary temporary address to +be generated. +Use age calculation as in addrconf_modify to avoid this. + +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -897,8 +897,11 @@ retry: + * Lifetime is greater than REGEN_ADVANCE time units. In particular, + * an implementation must not create a temporary address with a zero + * Preferred Lifetime. ++ * Use age calculation as in addrconf_verify to avoid unnecessary ++ * temporary addresses being generated. + */ +- if (tmp_prefered_lft <= regen_advance) { ++ age = (now - tmp_tstamp + ADDRCONF_TIMER_FUZZ_MINUS) / HZ; ++ if (tmp_prefered_lft <= regen_advance + age) { + in6_ifa_put(ifp); + in6_dev_put(idev); + ret = -1; diff --git a/queue-3.4/ipv6-don-t-set-dst_nocount-for-remotely-added-routes.patch b/queue-3.4/ipv6-don-t-set-dst_nocount-for-remotely-added-routes.patch new file mode 100644 index 00000000000..e8d51fe0488 --- /dev/null +++ b/queue-3.4/ipv6-don-t-set-dst_nocount-for-remotely-added-routes.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Sabrina Dubroca +Date: Thu, 6 Mar 2014 17:51:57 +0100 +Subject: ipv6: don't set DST_NOCOUNT for remotely added routes + +From: Sabrina Dubroca + +[ Upstream commit c88507fbad8055297c1d1e21e599f46960cbee39 ] + +DST_NOCOUNT should only be used if an authorized user adds routes +locally. In case of routes which are added on behalf of router +advertisments this flag must not get used as it allows an unlimited +number of routes getting added remotely. + +Signed-off-by: Sabrina Dubroca +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1302,7 +1302,7 @@ int ip6_route_add(struct fib6_config *cf + if (!table) + goto out; + +- rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, NULL, DST_NOCOUNT); ++ rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, NULL, (cfg->fc_flags & RTF_ADDRCONF) ? 0 : DST_NOCOUNT); + + if (!rt) { + err = -ENOMEM; diff --git a/queue-3.4/ipv6-ip6_append_data_mtu-do-not-handle-the-mtu-of-the-second-fragment-properly.patch b/queue-3.4/ipv6-ip6_append_data_mtu-do-not-handle-the-mtu-of-the-second-fragment-properly.patch new file mode 100644 index 00000000000..71ea144b4a2 --- /dev/null +++ b/queue-3.4/ipv6-ip6_append_data_mtu-do-not-handle-the-mtu-of-the-second-fragment-properly.patch @@ -0,0 +1,96 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: lucien +Date: Mon, 17 Mar 2014 12:51:01 +0800 +Subject: ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly + +From: lucien + +[ Upstream commit e367c2d03dba4c9bcafad24688fadb79dd95b218 ] + +In ip6_append_data_mtu(), when the xfrm mode is not tunnel(such as +transport),the ipsec header need to be added in the first fragment, so the mtu +will decrease to reserve space for it, then the second fragment come, the mtu +should be turn back, as the commit 0c1833797a5a6ec23ea9261d979aa18078720b74 +said. however, in the commit a493e60ac4bbe2e977e7129d6d8cbb0dd236be, it use +*mtu = min(*mtu, ...) to change the mtu, which lead to the new mtu is alway +equal with the first fragment's. and cannot turn back. + +when I test through ping6 -c1 -s5000 $ip (mtu=1280): +...frag (0|1232) ESP(spi=0x00002000,seq=0xb), length 1232 +...frag (1232|1216) +...frag (2448|1216) +...frag (3664|1216) +...frag (4880|164) + +which should be: +...frag (0|1232) ESP(spi=0x00001000,seq=0x1), length 1232 +...frag (1232|1232) +...frag (2464|1232) +...frag (3696|1232) +...frag (4928|116) + +so delete the min() when change back the mtu. + +Signed-off-by: Xin Long +Fixes: 75a493e60ac4bb ("ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size") +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1194,21 +1194,19 @@ static void ip6_append_data_mtu(unsigned + unsigned int fragheaderlen, + struct sk_buff *skb, + struct rt6_info *rt, +- bool pmtuprobe) ++ unsigned int orig_mtu) + { + if (!(rt->dst.flags & DST_XFRM_TUNNEL)) { + if (skb == NULL) { + /* first fragment, reserve header_len */ +- *mtu = *mtu - rt->dst.header_len; ++ *mtu = orig_mtu - rt->dst.header_len; + + } else { + /* + * this fragment is not first, the headers + * space is regarded as data space. + */ +- *mtu = min(*mtu, pmtuprobe ? +- rt->dst.dev->mtu : +- dst_mtu(rt->dst.path)); ++ *mtu = orig_mtu; + } + *maxfraglen = ((*mtu - fragheaderlen) & ~7) + + fragheaderlen - sizeof(struct frag_hdr); +@@ -1225,7 +1223,7 @@ int ip6_append_data(struct sock *sk, int + struct ipv6_pinfo *np = inet6_sk(sk); + struct inet_cork *cork; + struct sk_buff *skb, *skb_prev = NULL; +- unsigned int maxfraglen, fragheaderlen, mtu; ++ unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu; + int exthdrlen; + int dst_exthdrlen; + int hh_len; +@@ -1310,6 +1308,7 @@ int ip6_append_data(struct sock *sk, int + dst_exthdrlen = 0; + mtu = cork->fragsize; + } ++ orig_mtu = mtu; + + hh_len = LL_RESERVED_SPACE(rt->dst.dev); + +@@ -1392,8 +1391,7 @@ alloc_new_skb: + if (skb == NULL || skb_prev == NULL) + ip6_append_data_mtu(&mtu, &maxfraglen, + fragheaderlen, skb, rt, +- np->pmtudisc == +- IPV6_PMTUDISC_PROBE); ++ orig_mtu); + + skb_prev = skb; + diff --git a/queue-3.4/ipv6-some-ipv6-statistic-counters-failed-to-disable-bh.patch b/queue-3.4/ipv6-some-ipv6-statistic-counters-failed-to-disable-bh.patch new file mode 100644 index 00000000000..74b7589d5d4 --- /dev/null +++ b/queue-3.4/ipv6-some-ipv6-statistic-counters-failed-to-disable-bh.patch @@ -0,0 +1,80 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Hannes Frederic Sowa +Date: Mon, 31 Mar 2014 20:14:10 +0200 +Subject: ipv6: some ipv6 statistic counters failed to disable bh + +From: Hannes Frederic Sowa + +[ Upstream commit 43a43b6040165f7b40b5b489fe61a4cb7f8c4980 ] + +After commit c15b1ccadb323ea ("ipv6: move DAD and addrconf_verify +processing to workqueue") some counters are now updated in process context +and thus need to disable bh before doing so, otherwise deadlocks can +happen on 32-bit archs. Fabio Estevam noticed this while while mounting +a NFS volume on an ARM board. + +As a compensation for missing this I looked after the other *_STATS_BH +and found three other calls which need updating: + +1) icmp6_send: ip6_fragment -> icmpv6_send -> icmp6_send (error handling) +2) ip6_push_pending_frames: rawv6_sendmsg -> rawv6_push_pending_frames -> ... + (only in case of icmp protocol with raw sockets in error handling) +3) ping6_v6_sendmsg (error handling) + +Fixes: c15b1ccadb323ea ("ipv6: move DAD and addrconf_verify processing to workqueue") +Reported-by: Fabio Estevam +Tested-by: Fabio Estevam +Cc: Eric Dumazet +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/icmp.c | 2 +- + net/ipv6/ip6_output.c | 4 ++-- + net/ipv6/mcast.c | 11 ++++++----- + 3 files changed, 9 insertions(+), 8 deletions(-) + +--- a/net/ipv6/icmp.c ++++ b/net/ipv6/icmp.c +@@ -501,7 +501,7 @@ void icmpv6_send(struct sk_buff *skb, u8 + np->tclass, NULL, &fl6, (struct rt6_info*)dst, + MSG_DONTWAIT, np->dontfrag); + if (err) { +- ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTERRORS); ++ ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS); + ip6_flush_pending_frames(sk); + } else { + err = icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr, +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1661,8 +1661,8 @@ int ip6_push_pending_frames(struct sock + if (proto == IPPROTO_ICMPV6) { + struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); + +- ICMP6MSGOUT_INC_STATS_BH(net, idev, icmp6_hdr(skb)->icmp6_type); +- ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTMSGS); ++ ICMP6MSGOUT_INC_STATS(net, idev, icmp6_hdr(skb)->icmp6_type); ++ ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); + } + + err = ip6_local_out(skb); +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1430,11 +1430,12 @@ static void mld_sendpack(struct sk_buff + dst_output); + out: + if (!err) { +- ICMP6MSGOUT_INC_STATS_BH(net, idev, ICMPV6_MLD2_REPORT); +- ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTMSGS); +- IP6_UPD_PO_STATS_BH(net, idev, IPSTATS_MIB_OUTMCAST, payload_len); +- } else +- IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_OUTDISCARDS); ++ ICMP6MSGOUT_INC_STATS(net, idev, ICMPV6_MLD2_REPORT); ++ ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); ++ IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, payload_len); ++ } else { ++ IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); ++ } + + rcu_read_unlock(); + return; diff --git a/queue-3.4/isdnloop-several-buffer-overflows.patch b/queue-3.4/isdnloop-several-buffer-overflows.patch new file mode 100644 index 00000000000..1d973ecabd1 --- /dev/null +++ b/queue-3.4/isdnloop-several-buffer-overflows.patch @@ -0,0 +1,95 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Dan Carpenter +Date: Tue, 8 Apr 2014 12:23:09 +0300 +Subject: isdnloop: several buffer overflows + +From: Dan Carpenter + +[ Upstream commit 7563487cbf865284dcd35e9ef5a95380da046737 ] + +There are three buffer overflows addressed in this patch. + +1) In isdnloop_fake_err() we add an 'E' to a 60 character string and +then copy it into a 60 character buffer. I have made the destination +buffer 64 characters and I'm changed the sprintf() to a snprintf(). + +2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 +character buffer so we have 54 characters. The ->eazlist[] is 11 +characters long. I have modified the code to return if the source +buffer is too long. + +3) In isdnloop_command() the cbuf[] array was 60 characters long but the +max length of the string then can be up to 79 characters. I made the +cbuf array 80 characters long and changed the sprintf() to snprintf(). +I also removed the temporary "dial" buffer and changed it to use "p" +directly. + +Unfortunately, we pass the "cbuf" string from isdnloop_command() to +isdnloop_writecmd() which truncates anything over 60 characters to make +it fit in card->omsg[]. (It can accept values up to 255 characters so +long as there is a '\n' character every 60 characters). For now I have +just fixed the memory corruption bug and left the other problems in this +driver alone. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/isdn/isdnloop/isdnloop.c ++++ b/drivers/isdn/isdnloop/isdnloop.c +@@ -518,9 +518,9 @@ static isdnloop_stat isdnloop_cmd_table[ + static void + isdnloop_fake_err(isdnloop_card *card) + { +- char buf[60]; ++ char buf[64]; + +- sprintf(buf, "E%s", card->omsg); ++ snprintf(buf, sizeof(buf), "E%s", card->omsg); + isdnloop_fake(card, buf, -1); + isdnloop_fake(card, "NAK", -1); + } +@@ -903,6 +903,8 @@ isdnloop_parse_cmd(isdnloop_card *card) + case 7: + /* 0x;EAZ */ + p += 3; ++ if (strlen(p) >= sizeof(card->eazlist[0])) ++ break; + strcpy(card->eazlist[ch - 1], p); + break; + case 8: +@@ -1133,7 +1135,7 @@ isdnloop_command(isdn_ctrl *c, isdnloop_ + { + ulong a; + int i; +- char cbuf[60]; ++ char cbuf[80]; + isdn_ctrl cmd; + isdnloop_cdef cdef; + +@@ -1198,7 +1200,6 @@ isdnloop_command(isdn_ctrl *c, isdnloop_ + break; + if ((c->arg & 255) < ISDNLOOP_BCH) { + char *p; +- char dial[50]; + char dcode[4]; + + a = c->arg; +@@ -1210,10 +1211,10 @@ isdnloop_command(isdn_ctrl *c, isdnloop_ + } else + /* Normal Dial */ + strcpy(dcode, "CAL"); +- strcpy(dial, p); +- sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1), +- dcode, dial, c->parm.setup.si1, +- c->parm.setup.si2, c->parm.setup.eazmsn); ++ snprintf(cbuf, sizeof(cbuf), ++ "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1), ++ dcode, p, c->parm.setup.si1, ++ c->parm.setup.si2, c->parm.setup.eazmsn); + i = isdnloop_writecmd(cbuf, strlen(cbuf), 0, card); + } + break; diff --git a/queue-3.4/isdnloop-validate-nul-terminated-strings-from-user.patch b/queue-3.4/isdnloop-validate-nul-terminated-strings-from-user.patch new file mode 100644 index 00000000000..3f66dff937e --- /dev/null +++ b/queue-3.4/isdnloop-validate-nul-terminated-strings-from-user.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: YOSHIFUJI Hideaki +Date: Wed, 2 Apr 2014 12:48:42 +0900 +Subject: isdnloop: Validate NUL-terminated strings from user. + +From: YOSHIFUJI Hideaki + +[ Upstream commit 77bc6bed7121936bb2e019a8c336075f4c8eef62 ] + +Return -EINVAL unless all of user-given strings are correctly +NUL-terminated. + +Signed-off-by: YOSHIFUJI Hideaki +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/isdnloop/isdnloop.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/isdn/isdnloop/isdnloop.c ++++ b/drivers/isdn/isdnloop/isdnloop.c +@@ -1070,6 +1070,12 @@ isdnloop_start(isdnloop_card *card, isdn + return -EBUSY; + if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef))) + return -EFAULT; ++ ++ for (i = 0; i < 3; i++) { ++ if (!memchr(sdef.num[i], 0, sizeof(sdef.num[i]))) ++ return -EINVAL; ++ } ++ + spin_lock_irqsave(&card->isdnloop_lock, flags); + switch (sdef.ptype) { + case ISDN_PTYPE_EURO: diff --git a/queue-3.4/net-sctp-fix-skb-leakage-in-cookie-echo-path-of-chunk-auth_chunk.patch b/queue-3.4/net-sctp-fix-skb-leakage-in-cookie-echo-path-of-chunk-auth_chunk.patch new file mode 100644 index 00000000000..3bcfe4ee2b7 --- /dev/null +++ b/queue-3.4/net-sctp-fix-skb-leakage-in-cookie-echo-path-of-chunk-auth_chunk.patch @@ -0,0 +1,120 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Daniel Borkmann +Date: Tue, 4 Mar 2014 16:35:51 +0100 +Subject: net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk + +From: Daniel Borkmann + +[ Upstream commit c485658bae87faccd7aed540fd2ca3ab37992310 ] + +While working on ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to +verify if we/peer is AUTH capable"), we noticed that there's a skb +memory leakage in the error path. + +Running the same reproducer as in ec0223ec48a9 and by unconditionally +jumping to the error label (to simulate an error condition) in +sctp_sf_do_5_1D_ce() receive path lets kmemleak detector bark about +the unfreed chunk->auth_chunk skb clone: + +Unreferenced object 0xffff8800b8f3a000 (size 256): + comm "softirq", pid 0, jiffies 4294769856 (age 110.757s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 89 ab 75 5e d4 01 58 13 00 00 00 00 00 00 00 00 ..u^..X......... + backtrace: + [] kmemleak_alloc+0x4e/0xb0 + [] kmem_cache_alloc+0xc8/0x210 + [] skb_clone+0x49/0xb0 + [] sctp_endpoint_bh_rcv+0x1d9/0x230 [sctp] + [] sctp_inq_push+0x4c/0x70 [sctp] + [] sctp_rcv+0x82e/0x9a0 [sctp] + [] ip_local_deliver_finish+0xa8/0x210 + [] nf_reinject+0xbf/0x180 + [] nfqnl_recv_verdict+0x1d2/0x2b0 [nfnetlink_queue] + [] nfnetlink_rcv_msg+0x14b/0x250 [nfnetlink] + [] netlink_rcv_skb+0xa9/0xc0 + [] nfnetlink_rcv+0x23f/0x408 [nfnetlink] + [] netlink_unicast+0x168/0x250 + [] netlink_sendmsg+0x2e1/0x3f0 + [] sock_sendmsg+0x8b/0xc0 + [] ___sys_sendmsg+0x369/0x380 + +What happens is that commit bbd0d59809f9 clones the skb containing +the AUTH chunk in sctp_endpoint_bh_rcv() when having the edge case +that an endpoint requires COOKIE-ECHO chunks to be authenticated: + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + ------------------ AUTH; COOKIE-ECHO ----------------> + <-------------------- COOKIE-ACK --------------------- + +When we enter sctp_sf_do_5_1D_ce() and before we actually get to +the point where we process (and subsequently free) a non-NULL +chunk->auth_chunk, we could hit the "goto nomem_init" path from +an error condition and thus leave the cloned skb around w/o +freeing it. + +The fix is to centrally free such clones in sctp_chunk_destroy() +handler that is invoked from sctp_chunk_free() after all refs have +dropped; and also move both kfree_skb(chunk->auth_chunk) there, +so that chunk->auth_chunk is either NULL (since sctp_chunkify() +allocs new chunks through kmem_cache_zalloc()) or non-NULL with +a valid skb pointer. chunk->skb and chunk->auth_chunk are the +only skbs in the sctp_chunk structure that need to be handeled. + +While at it, we should use consume_skb() for both. It is the same +as dev_kfree_skb() but more appropriately named as we are not +a device but a protocol. Also, this effectively replaces the +kfree_skb() from both invocations into consume_skb(). Functions +are the same only that kfree_skb() assumes that the frame was +being dropped after a failure (e.g. for tools like drop monitor), +usage of consume_skb() seems more appropriate in function +sctp_chunk_destroy() though. + +Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") +Signed-off-by: Daniel Borkmann +Cc: Vlad Yasevich +Cc: Neil Horman +Acked-by: Vlad Yasevich +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_make_chunk.c | 4 ++-- + net/sctp/sm_statefuns.c | 5 ----- + 2 files changed, 2 insertions(+), 7 deletions(-) + +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -1366,8 +1366,8 @@ static void sctp_chunk_destroy(struct sc + BUG_ON(!list_empty(&chunk->list)); + list_del_init(&chunk->transmitted_list); + +- /* Free the chunk skb data and the SCTP_chunk stub itself. */ +- dev_kfree_skb(chunk->skb); ++ consume_skb(chunk->skb); ++ consume_skb(chunk->auth_chunk); + + SCTP_DBG_OBJCNT_DEC(chunk); + kmem_cache_free(sctp_chunk_cachep, chunk); +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -749,7 +749,6 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co + + /* Make sure that we and the peer are AUTH capable */ + if (!sctp_auth_enable || !new_asoc->peer.auth_capable) { +- kfree_skb(chunk->auth_chunk); + sctp_association_free(new_asoc); + return sctp_sf_pdiscard(ep, asoc, type, arg, commands); + } +@@ -764,10 +763,6 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co + auth.transport = chunk->transport; + + ret = sctp_sf_authenticate(ep, new_asoc, type, &auth); +- +- /* We can now safely free the auth_chunk clone */ +- kfree_skb(chunk->auth_chunk); +- + if (ret != SCTP_IERROR_NO_ERROR) { + sctp_association_free(new_asoc); + return sctp_sf_pdiscard(ep, asoc, type, arg, commands); diff --git a/queue-3.4/net-socket-error-on-a-negative-msg_namelen.patch b/queue-3.4/net-socket-error-on-a-negative-msg_namelen.patch new file mode 100644 index 00000000000..6dd30344ff5 --- /dev/null +++ b/queue-3.4/net-socket-error-on-a-negative-msg_namelen.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Matthew Leach +Date: Tue, 11 Mar 2014 11:58:27 +0000 +Subject: net: socket: error on a negative msg_namelen + +From: Matthew Leach + +[ Upstream commit dbb490b96584d4e958533fb637f08b557f505657 ] + +When copying in a struct msghdr from the user, if the user has set the +msg_namelen parameter to a negative value it gets clamped to a valid +size due to a comparison between signed and unsigned values. + +Ensure the syscall errors when the user passes in a negative value. + +Signed-off-by: Matthew Leach +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/socket.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1907,6 +1907,10 @@ static int copy_msghdr_from_user(struct + { + if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) + return -EFAULT; ++ ++ if (kmsg->msg_namelen < 0) ++ return -EINVAL; ++ + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) + kmsg->msg_namelen = sizeof(struct sockaddr_storage); + return 0; diff --git a/queue-3.4/net-unix-non-blocking-recvmsg-should-not-return-eintr.patch b/queue-3.4/net-unix-non-blocking-recvmsg-should-not-return-eintr.patch new file mode 100644 index 00000000000..601ce96de09 --- /dev/null +++ b/queue-3.4/net-unix-non-blocking-recvmsg-should-not-return-eintr.patch @@ -0,0 +1,73 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Eric Dumazet +Date: Tue, 25 Mar 2014 18:42:27 -0700 +Subject: net: unix: non blocking recvmsg() should not return -EINTR + +From: Eric Dumazet + +[ Upstream commit de1443916791d75fdd26becb116898277bb0273f ] + +Some applications didn't expect recvmsg() on a non blocking socket +could return -EINTR. This possibility was added as a side effect +of commit b3ca9b02b00704 ("net: fix multithreaded signal handling in +unix recv routines"). + +To hit this bug, you need to be a bit unlucky, as the u->readlock +mutex is usually held for very small periods. + +Fixes: b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines") +Signed-off-by: Eric Dumazet +Cc: Rainer Weikusat +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1787,8 +1787,11 @@ static int unix_dgram_recvmsg(struct kio + goto out; + + err = mutex_lock_interruptible(&u->readlock); +- if (err) { +- err = sock_intr_errno(sock_rcvtimeo(sk, noblock)); ++ if (unlikely(err)) { ++ /* recvmsg() in non blocking mode is supposed to return -EAGAIN ++ * sk_rcvtimeo is not honored by mutex_lock_interruptible() ++ */ ++ err = noblock ? -EAGAIN : -ERESTARTSYS; + goto out; + } + +@@ -1910,6 +1913,7 @@ static int unix_stream_recvmsg(struct ki + struct unix_sock *u = unix_sk(sk); + struct sockaddr_un *sunaddr = msg->msg_name; + int copied = 0; ++ int noblock = flags & MSG_DONTWAIT; + int check_creds = 0; + int target; + int err = 0; +@@ -1925,7 +1929,7 @@ static int unix_stream_recvmsg(struct ki + goto out; + + target = sock_rcvlowat(sk, flags&MSG_WAITALL, size); +- timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT); ++ timeo = sock_rcvtimeo(sk, noblock); + + /* Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg +@@ -1937,8 +1941,11 @@ static int unix_stream_recvmsg(struct ki + } + + err = mutex_lock_interruptible(&u->readlock); +- if (err) { +- err = sock_intr_errno(timeo); ++ if (unlikely(err)) { ++ /* recvmsg() in non blocking mode is supposed to return -EAGAIN ++ * sk_rcvtimeo is not honored by mutex_lock_interruptible() ++ */ ++ err = noblock ? -EAGAIN : -ERESTARTSYS; + goto out; + } + diff --git a/queue-3.4/netlink-don-t-compare-the-nul-termination-in-nla_strcmp.patch b/queue-3.4/netlink-don-t-compare-the-nul-termination-in-nla_strcmp.patch new file mode 100644 index 00000000000..55b372564a5 --- /dev/null +++ b/queue-3.4/netlink-don-t-compare-the-nul-termination-in-nla_strcmp.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Pablo Neira +Date: Tue, 1 Apr 2014 19:38:44 +0200 +Subject: netlink: don't compare the nul-termination in nla_strcmp + +From: Pablo Neira + +[ Upstream commit 8b7b932434f5eee495b91a2804f5b64ebb2bc835 ] + +nla_strcmp compares the string length plus one, so it's implicitly +including the nul-termination in the comparison. + + int nla_strcmp(const struct nlattr *nla, const char *str) + { + int len = strlen(str) + 1; + ... + d = memcmp(nla_data(nla), str, len); + +However, if NLA_STRING is used, userspace can send us a string without +the nul-termination. This is a problem since the string +comparison will not match as the last byte may be not the +nul-termination. + +Fix this by skipping the comparison of the nul-termination if the +attribute data is nul-terminated. Suggested by Thomas Graf. + +Cc: Florian Westphal +Cc: Thomas Graf +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + lib/nlattr.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/lib/nlattr.c ++++ b/lib/nlattr.c +@@ -299,9 +299,15 @@ int nla_memcmp(const struct nlattr *nla, + */ + int nla_strcmp(const struct nlattr *nla, const char *str) + { +- int len = strlen(str) + 1; +- int d = nla_len(nla) - len; ++ int len = strlen(str); ++ char *buf = nla_data(nla); ++ int attrlen = nla_len(nla); ++ int d; + ++ if (attrlen > 0 && buf[attrlen - 1] == '\0') ++ attrlen--; ++ ++ d = attrlen - len; + if (d == 0) + d = memcmp(nla_data(nla), str, len); + diff --git a/queue-3.4/rds-prevent-dereference-of-a-null-device-in-rds_iw_laddr_check.patch b/queue-3.4/rds-prevent-dereference-of-a-null-device-in-rds_iw_laddr_check.patch new file mode 100644 index 00000000000..7595e8e9df2 --- /dev/null +++ b/queue-3.4/rds-prevent-dereference-of-a-null-device-in-rds_iw_laddr_check.patch @@ -0,0 +1,31 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Sasha Levin +Date: Sat, 29 Mar 2014 20:39:35 -0400 +Subject: rds: prevent dereference of a NULL device in rds_iw_laddr_check + +From: Sasha Levin + +[ Upstream commit bf39b4247b8799935ea91d90db250ab608a58e50 ] + +Binding might result in a NULL device which is later dereferenced +without checking. + +Signed-off-by: Sasha Levin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/iw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/rds/iw.c ++++ b/net/rds/iw.c +@@ -239,7 +239,8 @@ static int rds_iw_laddr_check(__be32 add + ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin); + /* due to this, we will claim to support IB devices unless we + check node_type. */ +- if (ret || cm_id->device->node_type != RDMA_NODE_RNIC) ++ if (ret || !cm_id->device || ++ cm_id->device->node_type != RDMA_NODE_RNIC) + ret = -EADDRNOTAVAIL; + + rdsdebug("addr %pI4 ret %d node type %d\n", diff --git a/queue-3.4/series b/queue-3.4/series new file mode 100644 index 00000000000..c028d10c919 --- /dev/null +++ b/queue-3.4/series @@ -0,0 +1,16 @@ +net-sctp-fix-skb-leakage-in-cookie-echo-path-of-chunk-auth_chunk.patch +bridge-multicast-add-sanity-check-for-query-source-addresses.patch +net-unix-non-blocking-recvmsg-should-not-return-eintr.patch +ipv6-don-t-set-dst_nocount-for-remotely-added-routes.patch +vlan-set-correct-source-mac-address-with-tx-vlan-offload-enabled.patch +net-socket-error-on-a-negative-msg_namelen.patch +ipv6-avoid-unnecessary-temporary-addresses-being-generated.patch +ipv6-ip6_append_data_mtu-do-not-handle-the-mtu-of-the-second-fragment-properly.patch +vhost-fix-total-length-when-packets-are-too-short.patch +vhost-validate-vhost_get_vq_desc-return-value.patch +xen-netback-remove-pointless-clause-from-if-statement.patch +ipv6-some-ipv6-statistic-counters-failed-to-disable-bh.patch +netlink-don-t-compare-the-nul-termination-in-nla_strcmp.patch +isdnloop-validate-nul-terminated-strings-from-user.patch +isdnloop-several-buffer-overflows.patch +rds-prevent-dereference-of-a-null-device-in-rds_iw_laddr_check.patch diff --git a/queue-3.4/vhost-fix-total-length-when-packets-are-too-short.patch b/queue-3.4/vhost-fix-total-length-when-packets-are-too-short.patch new file mode 100644 index 00000000000..01a8b281997 --- /dev/null +++ b/queue-3.4/vhost-fix-total-length-when-packets-are-too-short.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: "Michael S. Tsirkin" +Date: Thu, 27 Mar 2014 12:00:26 +0200 +Subject: vhost: fix total length when packets are too short + +From: "Michael S. Tsirkin" + +[ Upstream commit d8316f3991d207fe32881a9ac20241be8fa2bad0 ] + +When mergeable buffers are disabled, and the +incoming packet is too large for the rx buffer, +get_rx_bufs returns success. + +This was intentional in order for make recvmsg +truncate the packet and then handle_rx would +detect err != sock_len and drop it. + +Unfortunately we pass the original sock_len to +recvmsg - which means we use parts of iov not fully +validated. + +Fix this up by detecting this overrun and doing packet drop +immediately. + +CVE-2014-0077 + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/net.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -351,6 +351,12 @@ static int get_rx_bufs(struct vhost_virt + *iovcount = seg; + if (unlikely(log)) + *log_num = nlogs; ++ ++ /* Detect overrun */ ++ if (unlikely(datalen > 0)) { ++ r = UIO_MAXIOV + 1; ++ goto err; ++ } + return headcount; + err: + vhost_discard_vq_desc(vq, headcount); +@@ -405,6 +411,14 @@ static void handle_rx(struct vhost_net * + /* On error, stop handling until the next kick. */ + if (unlikely(headcount < 0)) + break; ++ /* On overrun, truncate and discard */ ++ if (unlikely(headcount > UIO_MAXIOV)) { ++ msg.msg_iovlen = 1; ++ err = sock->ops->recvmsg(NULL, sock, &msg, ++ 1, MSG_DONTWAIT | MSG_TRUNC); ++ pr_debug("Discarded rx packet: len %zd\n", sock_len); ++ continue; ++ } + /* OK, now we need to know about added descriptors. */ + if (!headcount) { + if (unlikely(vhost_enable_notify(&net->dev, vq))) { diff --git a/queue-3.4/vhost-validate-vhost_get_vq_desc-return-value.patch b/queue-3.4/vhost-validate-vhost_get_vq_desc-return-value.patch new file mode 100644 index 00000000000..d60cf1ec514 --- /dev/null +++ b/queue-3.4/vhost-validate-vhost_get_vq_desc-return-value.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: "Michael S. Tsirkin" +Date: Thu, 27 Mar 2014 12:53:37 +0200 +Subject: vhost: validate vhost_get_vq_desc return value + +From: "Michael S. Tsirkin" + +[ Upstream commit a39ee449f96a2cd44ce056d8a0a112211a9b1a1f ] + +vhost fails to validate negative error code +from vhost_get_vq_desc causing +a crash: we are using -EFAULT which is 0xfffffff2 +as vector size, which exceeds the allocated size. + +The code in question was introduced in commit +8dd014adfea6f173c1ef6378f7e5e7924866c923 + vhost-net: mergeable buffers support + +CVE-2014-0055 + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/net.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -324,9 +324,13 @@ static int get_rx_bufs(struct vhost_virt + r = -ENOBUFS; + goto err; + } +- d = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, ++ r = vhost_get_vq_desc(vq->dev, vq, vq->iov + seg, + ARRAY_SIZE(vq->iov) - seg, &out, + &in, log, log_num); ++ if (unlikely(r < 0)) ++ goto err; ++ ++ d = r; + if (d == vq->num) { + r = 0; + goto err; diff --git a/queue-3.4/vlan-set-correct-source-mac-address-with-tx-vlan-offload-enabled.patch b/queue-3.4/vlan-set-correct-source-mac-address-with-tx-vlan-offload-enabled.patch new file mode 100644 index 00000000000..9ae49c19643 --- /dev/null +++ b/queue-3.4/vlan-set-correct-source-mac-address-with-tx-vlan-offload-enabled.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Peter Boström +Date: Mon, 10 Mar 2014 16:17:15 +0100 +Subject: vlan: Set correct source MAC address with TX VLAN offload enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Boström + +[ Upstream commit dd38743b4cc2f86be250eaf156cf113ba3dd531a ] + +With TX VLAN offload enabled the source MAC address for frames sent using the +VLAN interface is currently set to the address of the real interface. This is +wrong since the VLAN interface may be configured with a different address. + +The bug was introduced in commit 2205369a314e12fcec4781cc73ac9c08fc2b47de +("vlan: Fix header ops passthru when doing TX VLAN offload."). + +This patch sets the source address before calling the create function of the +real interface. + +Signed-off-by: Peter Boström +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/8021q/vlan_dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -533,6 +533,9 @@ static int vlan_passthru_hard_header(str + struct vlan_dev_priv *vlan = vlan_dev_priv(dev); + struct net_device *real_dev = vlan->real_dev; + ++ if (saddr == NULL) ++ saddr = dev->dev_addr; ++ + return dev_hard_header(skb, real_dev, type, daddr, saddr, len); + } + diff --git a/queue-3.4/xen-netback-remove-pointless-clause-from-if-statement.patch b/queue-3.4/xen-netback-remove-pointless-clause-from-if-statement.patch new file mode 100644 index 00000000000..66696e052d6 --- /dev/null +++ b/queue-3.4/xen-netback-remove-pointless-clause-from-if-statement.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Apr 14 15:32:12 PDT 2014 +From: Paul Durrant +Date: Fri, 28 Mar 2014 11:39:05 +0000 +Subject: xen-netback: remove pointless clause from if statement + +From: Paul Durrant + +[ Upstream commit 0576eddf24df716d8570ef8ca11452a9f98eaab2 ] + +This patch removes a test in start_new_rx_buffer() that checks whether +a copy operation is less than MAX_BUFFER_OFFSET in length, since +MAX_BUFFER_OFFSET is defined to be PAGE_SIZE and the only caller of +start_new_rx_buffer() already limits copy operations to PAGE_SIZE or less. + +Signed-off-by: Paul Durrant +Cc: Ian Campbell +Cc: Wei Liu +Cc: Sander Eikelenboom +Reported-By: Sander Eikelenboom +Tested-By: Sander Eikelenboom +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netback/netback.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/xen-netback/netback.c ++++ b/drivers/net/xen-netback/netback.c +@@ -338,8 +338,8 @@ static bool start_new_rx_buffer(int offs + * into multiple copies tend to give large frags their + * own buffers as before. + */ +- if ((offset + size > MAX_BUFFER_OFFSET) && +- (size <= MAX_BUFFER_OFFSET) && offset && !head) ++ BUG_ON(size > MAX_BUFFER_OFFSET); ++ if ((offset + size > MAX_BUFFER_OFFSET) && offset && !head) + return true; + + return false;