[Glibc-bsd-commits] r5747 - in trunk/kfreebsd-10/debian: . patches
stevenc-guest at alioth.debian.org
stevenc-guest at alioth.debian.org
Tue Aug 4 11:36:01 UTC 2015
Author: stevenc-guest
Date: 2015-08-04 11:36:01 +0000 (Tue, 04 Aug 2015)
New Revision: 5747
Added:
trunk/kfreebsd-10/debian/patches/SA-15_13.tcp.patch
trunk/kfreebsd-10/debian/patches/SA-15_15.tcp.patch
Modified:
trunk/kfreebsd-10/debian/changelog
trunk/kfreebsd-10/debian/patches/series
Log:
Pick SVN r285780 from FreeBSD 10.1-RELEASE to fix:
- SA-15:13: Resource exhaustion due to sessions stuck in LAST_ACK
state.
Pick SVN r285979 from FreeBSD 10.1-RELEASE to fix:
- SA-15:15: Resource exhaustion in TCP reassembly.
Modified: trunk/kfreebsd-10/debian/changelog
===================================================================
--- trunk/kfreebsd-10/debian/changelog 2015-08-04 11:24:28 UTC (rev 5746)
+++ trunk/kfreebsd-10/debian/changelog 2015-08-04 11:36:01 UTC (rev 5747)
@@ -2,6 +2,11 @@
* Build with clang-3.5, at least until clang-3.6 is fixed, so that
clang-3.4 can be removed from unstable.
+ * Pick SVN r285780 from FreeBSD 10.1-RELEASE to fix:
+ - SA-15:13: Resource exhaustion due to sessions stuck in LAST_ACK
+ state.
+ * Pick SVN r285979 from FreeBSD 10.1-RELEASE to fix:
+ - SA-15:15: Resource exhaustion in TCP reassembly.
* Use new preferred hostname for upstream SVN with HTTPS
(svn.freebsd.org).
Added: trunk/kfreebsd-10/debian/patches/SA-15_13.tcp.patch
===================================================================
--- trunk/kfreebsd-10/debian/patches/SA-15_13.tcp.patch (rev 0)
+++ trunk/kfreebsd-10/debian/patches/SA-15_13.tcp.patch 2015-08-04 11:36:01 UTC (rev 5747)
@@ -0,0 +1,35 @@
+Description:
+ Fix resource exhaustion due to sessions stuck in LAST_ACK state. [SA-15:13] (CVE-2015-5358)
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:13/tcp.patch
+Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:13.tcp.asc
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=285780
+
+--- a/sys/netinet/tcp_output.c (revision 285779)
++++ b/sys/netinet/tcp_output.c (revision 285780)
+@@ -400,7 +400,7 @@
+ flags &= ~TH_FIN;
+ }
+
+- if (len < 0) {
++ if (len <= 0) {
+ /*
+ * If FIN has been sent but not acked,
+ * but we haven't been called to retransmit,
+@@ -410,9 +410,16 @@
+ * to (closed) window, and set the persist timer
+ * if it isn't already going. If the window didn't
+ * close completely, just wait for an ACK.
++ *
++ * We also do a general check here to ensure that
++ * we will set the persist timer when we have data
++ * to send, but a 0-byte window. This makes sure
++ * the persist timer is set even if the packet
++ * hits one of the "goto send" lines below.
+ */
+ len = 0;
+- if (sendwin == 0) {
++ if ((sendwin == 0) && (TCPS_HAVEESTABLISHED(tp->t_state)) &&
++ (off < (int) so->so_snd.sb_cc)) {
+ tcp_timer_activate(tp, TT_REXMT, 0);
+ tp->t_rxtshift = 0;
+ tp->snd_nxt = tp->snd_una;
Added: trunk/kfreebsd-10/debian/patches/SA-15_15.tcp.patch
===================================================================
--- trunk/kfreebsd-10/debian/patches/SA-15_15.tcp.patch (rev 0)
+++ trunk/kfreebsd-10/debian/patches/SA-15_15.tcp.patch 2015-08-04 11:36:01 UTC (rev 5747)
@@ -0,0 +1,193 @@
+Description:
+ Fix resource exhaustion in TCP reassembly. [SA-15:15] (CVE-2015-1417)
+Origin: vendor, https://security.FreeBSD.org/patches/SA-15:15/tcp.patch
+Bug: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:15.tcp.asc
+Applied-Upstream: https://svnweb.freebsd.org/base?view=revision&revision=285979
+
+--- a/sys/netinet/tcp_reass.c
++++ b/sys/netinet/tcp_reass.c
+@@ -79,25 +79,22 @@
+ static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
+ "TCP Segment Reassembly Queue");
+
+-static VNET_DEFINE(int, tcp_reass_maxseg) = 0;
+-#define V_tcp_reass_maxseg VNET(tcp_reass_maxseg)
+-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
+- &VNET_NAME(tcp_reass_maxseg), 0,
++static int tcp_reass_maxseg = 0;
++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, maxsegments, CTLFLAG_RDTUN,
++ &tcp_reass_maxseg, 0,
+ "Global maximum number of TCP Segments in Reassembly Queue");
+
+-SYSCTL_VNET_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
++SYSCTL_PROC(_net_inet_tcp_reass, OID_AUTO, cursegments,
+ (CTLTYPE_INT | CTLFLAG_RD), NULL, 0, &tcp_reass_sysctl_qsize, "I",
+ "Global number of TCP Segments currently in Reassembly Queue");
+
+-static VNET_DEFINE(int, tcp_reass_overflows) = 0;
+-#define V_tcp_reass_overflows VNET(tcp_reass_overflows)
+-SYSCTL_VNET_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
++static int tcp_reass_overflows = 0;
++SYSCTL_INT(_net_inet_tcp_reass, OID_AUTO, overflows,
+ CTLTYPE_INT | CTLFLAG_RD,
+- &VNET_NAME(tcp_reass_overflows), 0,
++ &tcp_reass_overflows, 0,
+ "Global number of TCP Segment Reassembly Queue Overflows");
+
+-static VNET_DEFINE(uma_zone_t, tcp_reass_zone);
+-#define V_tcp_reass_zone VNET(tcp_reass_zone)
++static uma_zone_t tcp_reass_zone;
+
+ /* Initialize TCP reassembly queue */
+ static void
+@@ -105,36 +102,27 @@
+ {
+
+ /* Set the zone limit and read back the effective value. */
+- V_tcp_reass_maxseg = nmbclusters / 16;
+- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
+- V_tcp_reass_maxseg);
++ tcp_reass_maxseg = nmbclusters / 16;
++ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
++ tcp_reass_maxseg);
+ }
+
+ void
+-tcp_reass_init(void)
++tcp_reass_global_init(void)
+ {
+
+- V_tcp_reass_maxseg = nmbclusters / 16;
++ tcp_reass_maxseg = nmbclusters / 16;
+ TUNABLE_INT_FETCH("net.inet.tcp.reass.maxsegments",
+- &V_tcp_reass_maxseg);
+- V_tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
++ &tcp_reass_maxseg);
++ tcp_reass_zone = uma_zcreate("tcpreass", sizeof (struct tseg_qent),
+ NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+ /* Set the zone limit and read back the effective value. */
+- V_tcp_reass_maxseg = uma_zone_set_max(V_tcp_reass_zone,
+- V_tcp_reass_maxseg);
++ tcp_reass_maxseg = uma_zone_set_max(tcp_reass_zone,
++ tcp_reass_maxseg);
+ EVENTHANDLER_REGISTER(nmbclusters_change,
+ tcp_reass_zone_change, NULL, EVENTHANDLER_PRI_ANY);
+ }
+
+-#ifdef VIMAGE
+-void
+-tcp_reass_destroy(void)
+-{
+-
+- uma_zdestroy(V_tcp_reass_zone);
+-}
+-#endif
+-
+ void
+ tcp_reass_flush(struct tcpcb *tp)
+ {
+@@ -145,7 +133,7 @@
+ while ((qe = LIST_FIRST(&tp->t_segq)) != NULL) {
+ LIST_REMOVE(qe, tqe_q);
+ m_freem(qe->tqe_m);
+- uma_zfree(V_tcp_reass_zone, qe);
++ uma_zfree(tcp_reass_zone, qe);
+ tp->t_segqlen--;
+ }
+
+@@ -159,7 +147,7 @@
+ {
+ int qsize;
+
+- qsize = uma_zone_get_cur(V_tcp_reass_zone);
++ qsize = uma_zone_get_cur(tcp_reass_zone);
+ return (sysctl_handle_int(oidp, &qsize, 0, req));
+ }
+
+@@ -207,7 +195,7 @@
+ */
+ if ((th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) &&
+ tp->t_segqlen >= (so->so_rcv.sb_hiwat / tp->t_maxseg) + 1) {
+- V_tcp_reass_overflows++;
++ tcp_reass_overflows++;
+ TCPSTAT_INC(tcps_rcvmemdrop);
+ m_freem(m);
+ *tlenp = 0;
+@@ -226,7 +214,7 @@
+ * Use a temporary structure on the stack for the missing segment
+ * when the zone is exhausted. Otherwise we may get stuck.
+ */
+- te = uma_zalloc(V_tcp_reass_zone, M_NOWAIT);
++ te = uma_zalloc(tcp_reass_zone, M_NOWAIT);
+ if (te == NULL) {
+ if (th->th_seq != tp->rcv_nxt || !TCPS_HAVEESTABLISHED(tp->t_state)) {
+ TCPSTAT_INC(tcps_rcvmemdrop);
+@@ -277,7 +265,7 @@
+ TCPSTAT_ADD(tcps_rcvdupbyte, *tlenp);
+ m_freem(m);
+ if (te != &tqs)
+- uma_zfree(V_tcp_reass_zone, te);
++ uma_zfree(tcp_reass_zone, te);
+ tp->t_segqlen--;
+ /*
+ * Try to present any queued data
+@@ -314,7 +302,7 @@
+ nq = LIST_NEXT(q, tqe_q);
+ LIST_REMOVE(q, tqe_q);
+ m_freem(q->tqe_m);
+- uma_zfree(V_tcp_reass_zone, q);
++ uma_zfree(tcp_reass_zone, q);
+ tp->t_segqlen--;
+ q = nq;
+ }
+@@ -353,7 +341,7 @@
+ else
+ sbappendstream_locked(&so->so_rcv, q->tqe_m);
+ if (q != &tqs)
+- uma_zfree(V_tcp_reass_zone, q);
++ uma_zfree(tcp_reass_zone, q);
+ tp->t_segqlen--;
+ q = nq;
+ } while (q && q->tqe_th->th_seq == tp->rcv_nxt);
+--- a/sys/netinet/tcp_var.h
++++ b/sys/netinet/tcp_var.h
+@@ -666,11 +666,8 @@
+ char *tcp_log_vain(struct in_conninfo *, struct tcphdr *, void *,
+ const void *);
+ int tcp_reass(struct tcpcb *, struct tcphdr *, int *, struct mbuf *);
+-void tcp_reass_init(void);
++void tcp_reass_global_init(void);
+ void tcp_reass_flush(struct tcpcb *);
+-#ifdef VIMAGE
+-void tcp_reass_destroy(void);
+-#endif
+ void tcp_input(struct mbuf *, int);
+ u_long tcp_maxmtu(struct in_conninfo *, struct tcp_ifcap *);
+ u_long tcp_maxmtu6(struct in_conninfo *, struct tcp_ifcap *);
+--- a/sys/netinet/tcp_subr.c
++++ b/sys/netinet/tcp_subr.c
+@@ -375,7 +375,6 @@
+ tcp_tw_init();
+ syncache_init();
+ tcp_hc_init();
+- tcp_reass_init();
+
+ TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
+ V_sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
+@@ -385,6 +384,8 @@
+ if (!IS_DEFAULT_VNET(curvnet))
+ return;
+
++ tcp_reass_global_init();
++
+ /* XXX virtualize those bellow? */
+ tcp_delacktime = TCPTV_DELACK;
+ tcp_keepinit = TCPTV_KEEP_INIT;
+@@ -432,7 +433,6 @@
+ tcp_destroy(void)
+ {
+
+- tcp_reass_destroy();
+ tcp_hc_destroy();
+ syncache_destroy();
+ tcp_tw_destroy();
Modified: trunk/kfreebsd-10/debian/patches/series
===================================================================
--- trunk/kfreebsd-10/debian/patches/series 2015-08-04 11:24:28 UTC (rev 5746)
+++ trunk/kfreebsd-10/debian/patches/series 2015-08-04 11:36:01 UTC (rev 5747)
@@ -37,10 +37,12 @@
aicasm-parallel-build-dependencies.diff
ath9k-linux.diff
-# Security patches
+# Security patches / errata
SA-15_02.kmem.patch
SA-15_03.sctp.patch
SA-15_04.igmp.patch
EN-15_01.vt.patch
SA-15_09.ipv6.patch
EN-15_05.ufs.patch
+SA-15_13.tcp.patch
+SA-15_15.tcp.patch
More information about the Glibc-bsd-commits
mailing list