1. 27 Apr, 2014 9 commits
    • Michael S. Tsirkin's avatar
      vhost: fix total length when packets are too short · 20a51abb
      Michael S. Tsirkin authored
      [ Upstream commit d8316f39 ]
      
      When mergeable buffers are disabled, and the
      incoming packet is too large for the rx buffer,
      get_rx_bufs returns success.
      
      This was intentional in order for make recvmsg
      truncate the packet and then handle_rx would
      detect err != sock_len and drop it.
      
      Unfortunately we pass the original sock_len to
      recvmsg - which means we use parts of iov not fully
      validated.
      
      Fix this up by detecting this overrun and doing packet drop
      immediately.
      
      CVE-2014-0077
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20a51abb
    • lucien's avatar
      ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly · 4b6da919
      lucien authored
      [ Upstream commit e367c2d0 ]
      
      In ip6_append_data_mtu(), when the xfrm mode is not tunnel(such as
      transport),the ipsec header need to be added in the first fragment, so the mtu
      will decrease to reserve space for it, then the second fragment come, the mtu
      should be turn back, as the commit 0c183379
      said.  however, in the commit a493e60ac4bbe2e977e7129d6d8cbb0dd236be, it use
      *mtu = min(*mtu, ...) to change the mtu, which lead to the new mtu is alway
      equal with the first fragment's. and cannot turn back.
      
      when I test through  ping6 -c1 -s5000 $ip (mtu=1280):
      ...frag (0|1232) ESP(spi=0x00002000,seq=0xb), length 1232
      ...frag (1232|1216)
      ...frag (2448|1216)
      ...frag (3664|1216)
      ...frag (4880|164)
      
      which should be:
      ...frag (0|1232) ESP(spi=0x00001000,seq=0x1), length 1232
      ...frag (1232|1232)
      ...frag (2464|1232)
      ...frag (3696|1232)
      ...frag (4928|116)
      
      so delete the min() when change back the mtu.
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Fixes: 75a493e6 ("ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size")
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b6da919
    • Heiner Kallweit's avatar
      ipv6: Avoid unnecessary temporary addresses being generated · 4800c471
      Heiner Kallweit authored
      [ Upstream commit ecab6701 ]
      
      tmp_prefered_lft is an offset to ifp->tstamp, not now. Therefore
      age needs to be added to the condition.
      
      Age calculation in ipv6_create_tempaddr is different from the one
      in addrconf_verify and doesn't consider ADDRCONF_TIMER_FUZZ_MINUS.
      This can cause age in ipv6_create_tempaddr to be less than the one
      in addrconf_verify and therefore unnecessary temporary address to
      be generated.
      Use age calculation as in addrconf_modify to avoid this.
      Signed-off-by: default avatarHeiner Kallweit <heiner.kallweit@web.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4800c471
    • Matthew Leach's avatar
      net: socket: error on a negative msg_namelen · d82c152b
      Matthew Leach authored
      [ Upstream commit dbb490b9 ]
      
      When copying in a struct msghdr from the user, if the user has set the
      msg_namelen parameter to a negative value it gets clamped to a valid
      size due to a comparison between signed and unsigned values.
      
      Ensure the syscall errors when the user passes in a negative value.
      Signed-off-by: default avatarMatthew Leach <matthew.leach@arm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d82c152b
    • Peter Boström's avatar
      vlan: Set correct source MAC address with TX VLAN offload enabled · 711d9170
      Peter Boström authored
      [ Upstream commit dd38743b ]
      
      With TX VLAN offload enabled the source MAC address for frames sent using the
      VLAN interface is currently set to the address of the real interface. This is
      wrong since the VLAN interface may be configured with a different address.
      
      The bug was introduced in commit 2205369a
      ("vlan: Fix header ops passthru when doing TX VLAN offload.").
      
      This patch sets the source address before calling the create function of the
      real interface.
      Signed-off-by: default avatarPeter Boström <peter.bostrom@netrounds.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      711d9170
    • Sabrina Dubroca's avatar
      ipv6: don't set DST_NOCOUNT for remotely added routes · c3363b2d
      Sabrina Dubroca authored
      [ Upstream commit c88507fb ]
      
      DST_NOCOUNT should only be used if an authorized user adds routes
      locally. In case of routes which are added on behalf of router
      advertisments this flag must not get used as it allows an unlimited
      number of routes getting added remotely.
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c3363b2d
    • Eric Dumazet's avatar
      net: unix: non blocking recvmsg() should not return -EINTR · d7fc329b
      Eric Dumazet authored
      [ Upstream commit de144391 ]
      
      Some applications didn't expect recvmsg() on a non blocking socket
      could return -EINTR. This possibility was added as a side effect
      of commit b3ca9b02 ("net: fix multithreaded signal handling in
      unix recv routines").
      
      To hit this bug, you need to be a bit unlucky, as the u->readlock
      mutex is usually held for very small periods.
      
      Fixes: b3ca9b02 ("net: fix multithreaded signal handling in unix recv routines")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7fc329b
    • Linus Lüssing's avatar
      bridge: multicast: add sanity check for query source addresses · 098c9960
      Linus Lüssing authored
      [ Upstream commit 6565b9ee ]
      
      MLD queries are supposed to have an IPv6 link-local source address
      according to RFC2710, section 4 and RFC3810, section 5.1.14. This patch
      adds a sanity check to ignore such broken MLD queries.
      
      Without this check, such malformed MLD queries can result in a
      denial of service: The queries are ignored by any MLD listener
      therefore they will not respond with an MLD report. However,
      without this patch these malformed MLD queries would enable the
      snooping part in the bridge code, potentially shutting down the
      according ports towards these hosts for multicast traffic as the
      bridge did not learn about these listeners.
      Reported-by: default avatarJan Stancek <jstancek@redhat.com>
      Signed-off-by: default avatarLinus Lüssing <linus.luessing@web.de>
      Reviewed-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      098c9960
    • Daniel Borkmann's avatar
      net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk · 978a9b75
      Daniel Borkmann authored
      [ Upstream commit c485658b ]
      
      While working on ec0223ec ("net: sctp: fix sctp_sf_do_5_1D_ce to
      verify if we/peer is AUTH capable"), we noticed that there's a skb
      memory leakage in the error path.
      
      Running the same reproducer as in ec0223ec and by unconditionally
      jumping to the error label (to simulate an error condition) in
      sctp_sf_do_5_1D_ce() receive path lets kmemleak detector bark about
      the unfreed chunk->auth_chunk skb clone:
      
      Unreferenced object 0xffff8800b8f3a000 (size 256):
        comm "softirq", pid 0, jiffies 4294769856 (age 110.757s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          89 ab 75 5e d4 01 58 13 00 00 00 00 00 00 00 00  ..u^..X.........
        backtrace:
          [<ffffffff816660be>] kmemleak_alloc+0x4e/0xb0
          [<ffffffff8119f328>] kmem_cache_alloc+0xc8/0x210
          [<ffffffff81566929>] skb_clone+0x49/0xb0
          [<ffffffffa0467459>] sctp_endpoint_bh_rcv+0x1d9/0x230 [sctp]
          [<ffffffffa046fdbc>] sctp_inq_push+0x4c/0x70 [sctp]
          [<ffffffffa047e8de>] sctp_rcv+0x82e/0x9a0 [sctp]
          [<ffffffff815abd38>] ip_local_deliver_finish+0xa8/0x210
          [<ffffffff815a64af>] nf_reinject+0xbf/0x180
          [<ffffffffa04b4762>] nfqnl_recv_verdict+0x1d2/0x2b0 [nfnetlink_queue]
          [<ffffffffa04aa40b>] nfnetlink_rcv_msg+0x14b/0x250 [nfnetlink]
          [<ffffffff815a3269>] netlink_rcv_skb+0xa9/0xc0
          [<ffffffffa04aa7cf>] nfnetlink_rcv+0x23f/0x408 [nfnetlink]
          [<ffffffff815a2bd8>] netlink_unicast+0x168/0x250
          [<ffffffff815a2fa1>] netlink_sendmsg+0x2e1/0x3f0
          [<ffffffff8155cc6b>] sock_sendmsg+0x8b/0xc0
          [<ffffffff8155d449>] ___sys_sendmsg+0x369/0x380
      
      What happens is that commit bbd0d598 clones the skb containing
      the AUTH chunk in sctp_endpoint_bh_rcv() when having the edge case
      that an endpoint requires COOKIE-ECHO chunks to be authenticated:
      
        ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
        <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
        ------------------ AUTH; COOKIE-ECHO ---------------->
        <-------------------- COOKIE-ACK ---------------------
      
      When we enter sctp_sf_do_5_1D_ce() and before we actually get to
      the point where we process (and subsequently free) a non-NULL
      chunk->auth_chunk, we could hit the "goto nomem_init" path from
      an error condition and thus leave the cloned skb around w/o
      freeing it.
      
      The fix is to centrally free such clones in sctp_chunk_destroy()
      handler that is invoked from sctp_chunk_free() after all refs have
      dropped; and also move both kfree_skb(chunk->auth_chunk) there,
      so that chunk->auth_chunk is either NULL (since sctp_chunkify()
      allocs new chunks through kmem_cache_zalloc()) or non-NULL with
      a valid skb pointer. chunk->skb and chunk->auth_chunk are the
      only skbs in the sctp_chunk structure that need to be handeled.
      
      While at it, we should use consume_skb() for both. It is the same
      as dev_kfree_skb() but more appropriately named as we are not
      a device but a protocol. Also, this effectively replaces the
      kfree_skb() from both invocations into consume_skb(). Functions
      are the same only that kfree_skb() assumes that the frame was
      being dropped after a failure (e.g. for tools like drop monitor),
      usage of consume_skb() seems more appropriate in function
      sctp_chunk_destroy() though.
      
      Fixes: bbd0d598 ("[SCTP]: Implement the receive and verification of AUTH chunk")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Vlad Yasevich <yasevich@gmail.com>
      Cc: Neil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      978a9b75
  2. 14 Apr, 2014 31 commits