[PATCH 0/1][T] CVE-2018-5390 - Fix incorrect patch backport

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][T] CVE-2018-5390 - Fix incorrect patch backport

Tyler Hicks-2
The Xenial and Trusty backport of the fix for CVE-2018-5390 was incorrect. The
Xenial tree will be fixed with smb's rebase on top of a newer linux-stable
release. This patch fixes the issue in Trusty.

Tyler


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] UBUNTU: SAUCE: tcp: Correct the backport of the CVE-2018-5390 fix

Tyler Hicks-2
The backport of upstream commit 3d4bf93ac120 ("tcp: detect malicious
patterns in tcp_collapse_ofo_queue()") didn't increase the
range_truesize value in some situations.

CVE-2018-5390

Fixes: 8a668da92a76 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Tyler Hicks <[hidden email]>
---
 net/ipv4/tcp_input.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index ab79331a510e..4d5c79f40aac 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4638,6 +4638,7 @@ static void tcp_collapse_ofo_queue(struct sock *sk)
  end = TCP_SKB_CB(skb)->end_seq;
  range_truesize += skb->truesize;
  } else {
+ range_truesize += skb->truesize;
  if (before(TCP_SKB_CB(skb)->seq, start))
  start = TCP_SKB_CB(skb)->seq;
  if (after(TCP_SKB_CB(skb)->end_seq, end))
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 1/1] UBUNTU: SAUCE: tcp: Correct the backport of the CVE-2018-5390 fix

Tyler Hicks-2
Hold off on applying this change. There's still a discrepancy (+= vs =
for the existing range_truesize assignment) between the 4.14.y stable
branch and what this patch does.

Tyler

On 2018-09-14 18:50:23, Tyler Hicks wrote:

> The backport of upstream commit 3d4bf93ac120 ("tcp: detect malicious
> patterns in tcp_collapse_ofo_queue()") didn't increase the
> range_truesize value in some situations.
>
> CVE-2018-5390
>
> Fixes: 8a668da92a76 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
> Signed-off-by: Tyler Hicks <[hidden email]>
> ---
>  net/ipv4/tcp_input.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index ab79331a510e..4d5c79f40aac 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -4638,6 +4638,7 @@ static void tcp_collapse_ofo_queue(struct sock *sk)
>   end = TCP_SKB_CB(skb)->end_seq;
>   range_truesize += skb->truesize;
>   } else {
> + range_truesize += skb->truesize;
>   if (before(TCP_SKB_CB(skb)->seq, start))
>   start = TCP_SKB_CB(skb)->seq;
>   if (after(TCP_SKB_CB(skb)->end_seq, end))
> --
> 2.7.4
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

NAK: [PATCH 1/1] UBUNTU: SAUCE: tcp: Correct the backport of the CVE-2018-5390 fix

Tyler Hicks-2
On 2018-09-14 14:44:24, Tyler Hicks wrote:
> Hold off on applying this change. There's still a discrepancy (+= vs =
> for the existing range_truesize assignment) between the 4.14.y stable
> branch and what this patch does.

Yeah, I need one other change to correct the backport. I'll send out the
corrected patch in a v2.

Tyler

>
> Tyler
>
> On 2018-09-14 18:50:23, Tyler Hicks wrote:
> > The backport of upstream commit 3d4bf93ac120 ("tcp: detect malicious
> > patterns in tcp_collapse_ofo_queue()") didn't increase the
> > range_truesize value in some situations.
> >
> > CVE-2018-5390
> >
> > Fixes: 8a668da92a76 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
> > Signed-off-by: Tyler Hicks <[hidden email]>
> > ---
> >  net/ipv4/tcp_input.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> > index ab79331a510e..4d5c79f40aac 100644
> > --- a/net/ipv4/tcp_input.c
> > +++ b/net/ipv4/tcp_input.c
> > @@ -4638,6 +4638,7 @@ static void tcp_collapse_ofo_queue(struct sock *sk)
> >   end = TCP_SKB_CB(skb)->end_seq;
> >   range_truesize += skb->truesize;
> >   } else {
> > + range_truesize += skb->truesize;
> >   if (before(TCP_SKB_CB(skb)->seq, start))
> >   start = TCP_SKB_CB(skb)->seq;
> >   if (after(TCP_SKB_CB(skb)->end_seq, end))
> > --
> > 2.7.4
> >
> >
> > --
> > kernel-team mailing list
> > [hidden email]
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team


> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment