[kernel] r22840 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all patches/bugfix/x86

Ben Hutchings benh at moszumanska.debian.org
Wed Jul 22 02:17:39 UTC 2015 

Author: benh
Date: Wed Jul 22 02:17:38 2015
New Revision: 22840

Log:
Add two networking fixes

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch
   dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Fri Jul 17 07:29:12 2015	(r22839)
+++ dists/wheezy-security/linux/debian/changelog	Wed Jul 22 02:17:38 2015	(r22840)
@@ -2,6 +2,8 @@
 
   [ Ben Hutchings ]
   * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366)
+  * sctp: fix ASCONF list handling (CVE-2015-3212)
+  * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 28 Jun 2015 23:37:37 +0100
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch	Wed Jul 22 02:17:38 2015	(r22840)
@@ -0,0 +1,176 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Fri, 12 Jun 2015 10:16:41 -0300
+Subject: sctp: fix ASCONF list handling
+Origin: https://git.kernel.org/linus/2d45a02d0166caf2627fe91897c6ffc3b19514c4
+
+->auto_asconf_splist is per namespace and mangled by functions like
+sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.
+
+Also, the call to inet_sk_copy_descendant() was backuping
+->auto_asconf_list through the copy but was not honoring
+->do_auto_asconf, which could lead to list corruption if it was
+different between both sockets.
+
+This commit thus fixes the list handling by using ->addr_wq_lock
+spinlock to protect the list. A special handling is done upon socket
+creation and destruction for that. Error handlig on sctp_init_sock()
+will never return an error after having initialized asconf, so
+sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
+will be take on sctp_close_sock(), before locking the socket, so we
+don't do it in inverse order compared to sctp_addr_wq_timeout_handler().
+
+Instead of taking the lock on sctp_sock_migrate() for copying and
+restoring the list values, it's preferred to avoid rewritting it by
+implementing sctp_copy_descendant().
+
+Issue was found with a test application that kept flipping sysctl
+default_auto_asconf on and off, but one could trigger it by issuing
+simultaneous setsockopt() calls on multiple sockets or by
+creating/destroying sockets fast enough. This is only triggerable
+locally.
+
+Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
+Reported-by: Ji Jianwen <jiji at redhat.com>
+Suggested-by: Neil Horman <nhorman at tuxdriver.com>
+Suggested-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2:
+ - Adjust filename, context
+ - Most per-netns state is global]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -209,6 +209,7 @@ extern struct sctp_globals {
+ 	struct list_head addr_waitq;
+ 	struct timer_list addr_wq_timer;
+ 	struct list_head auto_asconf_splist;
++	/* Lock that protects both addr_waitq and auto_asconf_splist */
+ 	spinlock_t addr_wq_lock;
+ 
+ 	/* Lock that protects the local_addr_list writers */
+@@ -355,6 +356,10 @@ struct sctp_sock {
+ 	atomic_t pd_mode;
+ 	/* Receive to here while partial delivery is in effect. */
+ 	struct sk_buff_head pd_lobby;
++
++	/* These must be the last fields, as they will skipped on copies,
++	 * like on accept and peeloff operations
++	 */
+ 	struct list_head auto_asconf_list;
+ 	int do_auto_asconf;
+ };
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1539,8 +1539,10 @@ SCTP_STATIC void sctp_close(struct sock
+ 
+ 	/* Supposedly, no process has access to the socket, but
+ 	 * the net layers still may.
++	 * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
++	 * held and that should be grabbed before socket lock.
+ 	 */
+-	sctp_local_bh_disable();
++	spin_lock_bh(&sctp_globals.addr_wq_lock);
+ 	sctp_bh_lock_sock(sk);
+ 
+ 	/* Hold the sock, since sk_common_release() will put sock_put()
+@@ -1550,7 +1552,7 @@ SCTP_STATIC void sctp_close(struct sock
+ 	sk_common_release(sk);
+ 
+ 	sctp_bh_unlock_sock(sk);
+-	sctp_local_bh_enable();
++	spin_unlock_bh(&sctp_globals.addr_wq_lock);
+ 
+ 	sock_put(sk);
+ 
+@@ -3499,6 +3501,7 @@ static int sctp_setsockopt_auto_asconf(s
+ 	if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
+ 		return 0;
+ 
++	spin_lock_bh(&sctp_globals.addr_wq_lock);
+ 	if (val == 0 && sp->do_auto_asconf) {
+ 		list_del(&sp->auto_asconf_list);
+ 		sp->do_auto_asconf = 0;
+@@ -3507,6 +3510,7 @@ static int sctp_setsockopt_auto_asconf(s
+ 		    &sctp_auto_asconf_splist);
+ 		sp->do_auto_asconf = 1;
+ 	}
++	spin_unlock_bh(&sctp_globals.addr_wq_lock);
+ 	return 0;
+ }
+ 
+@@ -3942,18 +3946,28 @@ SCTP_STATIC int sctp_init_sock(struct so
+ 	local_bh_disable();
+ 	percpu_counter_inc(&sctp_sockets_allocated);
+ 	sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
++
++	/* Nothing can fail after this block, otherwise
++	 * sctp_destroy_sock() will be called without addr_wq_lock held
++	 */
+ 	if (sctp_default_auto_asconf) {
++		spin_lock(&sctp_globals.addr_wq_lock);
+ 		list_add_tail(&sp->auto_asconf_list,
+ 		    &sctp_auto_asconf_splist);
+ 		sp->do_auto_asconf = 1;
+-	} else
++		spin_unlock(&sctp_globals.addr_wq_lock);
++	} else {
+ 		sp->do_auto_asconf = 0;
++	}
++
+ 	local_bh_enable();
+ 
+ 	return 0;
+ }
+ 
+-/* Cleanup any SCTP per socket resources.  */
++/* Cleanup any SCTP per socket resources. Must be called with
++ * sctp_globals.addr_wq_lock held if sp->do_auto_asconf is true
++ */
+ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
+ {
+ 	struct sctp_sock *sp;
+@@ -6713,6 +6727,19 @@ void sctp_copy_sock(struct sock *newsk,
+ 	newinet->mc_list = NULL;
+ }
+ 
++static inline void sctp_copy_descendant(struct sock *sk_to,
++					const struct sock *sk_from)
++{
++	int ancestor_size = sizeof(struct inet_sock) +
++			    sizeof(struct sctp_sock) -
++			    offsetof(struct sctp_sock, auto_asconf_list);
++
++	if (sk_from->sk_family == PF_INET6)
++		ancestor_size += sizeof(struct ipv6_pinfo);
++
++	__inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
++}
++
+ /* Populate the fields of the newsk from the oldsk and migrate the assoc
+  * and its messages to the newsk.
+  */
+@@ -6727,7 +6754,6 @@ static void sctp_sock_migrate(struct soc
+ 	struct sk_buff *skb, *tmp;
+ 	struct sctp_ulpevent *event;
+ 	struct sctp_bind_hashbucket *head;
+-	struct list_head tmplist;
+ 
+ 	/* Migrate socket buffer sizes and all the socket level options to the
+ 	 * new socket.
+@@ -6735,12 +6761,7 @@ static void sctp_sock_migrate(struct soc
+ 	newsk->sk_sndbuf = oldsk->sk_sndbuf;
+ 	newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
+ 	/* Brute force copy old sctp opt. */
+-	if (oldsp->do_auto_asconf) {
+-		memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
+-		inet_sk_copy_descendant(newsk, oldsk);
+-		memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
+-	} else
+-		inet_sk_copy_descendant(newsk, oldsk);
++	sctp_copy_descendant(newsk, oldsk);
+ 
+ 	/* Restore the ep value that was overwritten with the above structure
+ 	 * copy.

Added: dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch	Wed Jul 22 02:17:38 2015	(r22840)
@@ -0,0 +1,43 @@
+From: Alexei Starovoitov <ast at plumgrid.com>
+Date: Fri, 22 May 2015 15:42:55 -0700
+Subject: x86: bpf_jit: fix compilation of large bpf programs
+Origin: https://git.kernel.org/linus/3f7352bf21f8fd7ba3e2fcef9488756f188e12be
+
+x86 has variable length encoding. x86 JIT compiler is trying
+to pick the shortest encoding for given bpf instruction.
+While doing so the jump targets are changing, so JIT is doing
+multiple passes over the program. Typical program needs 3 passes.
+Some very short programs converge with 2 passes. Large programs
+may need 4 or 5. But specially crafted bpf programs may hit the
+pass limit and if the program converges on the last iteration
+the JIT compiler will be producing an image full of 'int 3' insns.
+Fix this corner case by doing final iteration over bpf program.
+
+Fixes: 0a14842f5a3c ("net: filter: Just In Time compiler for x86-64")
+Reported-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast at plumgrid.com>
+Tested-by: Daniel Borkmann <daniel at iogearbox.net>
+Acked-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/net/bpf_jit_comp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -150,7 +150,12 @@ void bpf_jit_compile(struct sk_filter *f
+ 	}
+ 	cleanup_addr = proglen; /* epilogue address */
+ 
+-	for (pass = 0; pass < 10; pass++) {
++	/* JITed image shrinks with every pass and the loop iterates
++	 * until the image stops shrinking. Very large bpf programs
++	 * may converge on the last pass. In such case do one more
++	 * pass to emit the final image
++	 */
++	for (pass = 0; pass < 10 || image; pass++) {
+ 		u8 seen_or_pass0 = (pass == 0) ? (SEEN_XREG | SEEN_DATAREF | SEEN_MEM) : seen;
+ 		/* no prologue/epilogue for trivial filters (RET something) */
+ 		proglen = 0;

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Fri Jul 17 07:29:12 2015	(r22839)
+++ dists/wheezy-security/linux/debian/patches/series	Wed Jul 22 02:17:38 2015	(r22840)
@@ -1171,3 +1171,5 @@
 bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
 bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch
 bugfix/all/udp-fix-behavior-of-wrong-checksums.patch
+bugfix/all/sctp-fix-asconf-list-handling.patch
+bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch

More information about the Kernel-svn-changes mailing list