[PATCH v2 0/1][T] CVE-2018-5390 - Fix incorrect patch backport

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH v2 0/1][T] CVE-2018-5390 - Fix incorrect patch backport

Tyler Hicks-2
The Xenial and Trusty backport of the fix for CVE-2018-5390 was incorrect. The
Xenial tree will be fixed with smb's rebase on top of a newer linux-stable
release. This patch fixes the issue in Trusty.

* Change since v1:
  - Reset range_truesize variable when moving on to a new range

Tyler


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH v2 1/1] UBUNTU: SAUCE: tcp: Correct the backport of the CVE-2018-5390 fix

Tyler Hicks-2
The backport of upstream commit 3d4bf93ac120 ("tcp: detect malicious
patterns in tcp_collapse_ofo_queue()") didn't correctly reset
range_truesize when moving on to a new range and didn't increase
range_truesize when operating within a range.

CVE-2018-5390

Fixes: 8a668da92a76 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Tyler Hicks <[hidden email]>
---
 net/ipv4/tcp_input.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index ab79331a510e..e9cb861e7289 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4636,8 +4636,9 @@ static void tcp_collapse_ofo_queue(struct sock *sk)
  /* Start new segment */
  start = TCP_SKB_CB(skb)->seq;
  end = TCP_SKB_CB(skb)->end_seq;
- range_truesize += skb->truesize;
+ range_truesize = skb->truesize;
  } else {
+ range_truesize += skb->truesize;
  if (before(TCP_SKB_CB(skb)->seq, start))
  start = TCP_SKB_CB(skb)->seq;
  if (after(TCP_SKB_CB(skb)->end_seq, end))
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH v2 0/1][T] CVE-2018-5390 - Fix incorrect patch backport

Marcelo Henrique Cerri
In reply to this post by Tyler Hicks-2
I checked the upstream patch and the fix is properly replicating the
correct behavior.

Acked-by: Marcelo Henrique Cerri <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH v2 1/1] UBUNTU: SAUCE: tcp: Correct the backport of the CVE-2018-5390 fix

Stefan Bader-2
In reply to this post by Tyler Hicks-2
On 14.09.2018 22:47, Tyler Hicks wrote:
> The backport of upstream commit 3d4bf93ac120 ("tcp: detect malicious
> patterns in tcp_collapse_ofo_queue()") didn't correctly reset
> range_truesize when moving on to a new range and didn't increase
> range_truesize when operating within a range.
>
> CVE-2018-5390
>
> Fixes: 8a668da92a76 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
> Signed-off-by: Tyler Hicks <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>
> ---

Looks like the version I ended up with for Xenial.

-Stefan

>  net/ipv4/tcp_input.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index ab79331a510e..e9cb861e7289 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -4636,8 +4636,9 @@ static void tcp_collapse_ofo_queue(struct sock *sk)
>   /* Start new segment */
>   start = TCP_SKB_CB(skb)->seq;
>   end = TCP_SKB_CB(skb)->end_seq;
> - range_truesize += skb->truesize;
> + range_truesize = skb->truesize;
>   } else {
> + range_truesize += skb->truesize;
>   if (before(TCP_SKB_CB(skb)->seq, start))
>   start = TCP_SKB_CB(skb)->seq;
>   if (after(TCP_SKB_CB(skb)->end_seq, end))
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH v2 0/1][T] CVE-2018-5390 - Fix incorrect patch backport

Stefan Bader-2
In reply to this post by Tyler Hicks-2
On 14.09.2018 22:47, Tyler Hicks wrote:

> The Xenial and Trusty backport of the fix for CVE-2018-5390 was incorrect. The
> Xenial tree will be fixed with smb's rebase on top of a newer linux-stable
> release. This patch fixes the issue in Trusty.
>
> * Change since v1:
>   - Reset range_truesize variable when moving on to a new range
>
> Tyler
>
>
Applied to trusty/master-next. Thanks.

-Stefan


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment