diff options
Diffstat (limited to 'recipes-kernel/linux')
-rw-r--r-- | recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch | 33 | ||||
-rw-r--r-- | recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch | 145 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq.inc | 46 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bb | 7 |
4 files changed, 231 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch b/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch new file mode 100644 index 00000000..7d109edb --- /dev/null +++ b/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch @@ -0,0 +1,33 @@ +From 8545129540a5862b22aad03badb2a9f93bf29117 Mon Sep 17 00:00:00 2001 +From: Bob Cochran <yocto@mindchasers.com> +Date: Mon, 3 Nov 2014 22:45:35 -0500 +Subject: [meta-fsl-ppc][PATCH] linux-qoriq: Change defconfig for T1040 to + match number of CPUS + +Having a number higher than necessary for NR_CPUS wastes memory by +instantiating unnecessary structures in RAM. An example is in the DPAA where +DPAA_ETH_TX_QUEUES is defined based on NR_CPUS and used to create +dozens of extra qman_fq structures. Using the prior value of 24, which was +left over from the T4240 created an additonal 60 frame queue structures alone. + +This has been tested on t1040rdb-64b. . + +Signed-off-by: Bob Cochran <yocto@mindchasers.com> +--- + arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig b/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig +index a401e7c..5542248 100644 +--- a/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig ++++ b/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig +@@ -1,6 +1,6 @@ + CONFIG_PPC_85xx=y + CONFIG_SMP=y +-CONFIG_NR_CPUS=8 ++CONFIG_NR_CPUS=4 + CONFIG_EXPERIMENTAL=y + CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y +-- +1.7.9.5 diff --git a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch new file mode 100644 index 00000000..ddcb6c5d --- /dev/null +++ b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch @@ -0,0 +1,145 @@ +From 00c53b02cb01976b35d37670a4b5c5d7a6ad3c62 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann <dborkman@redhat.com> +Date: Mon, 3 Mar 2014 17:23:04 +0100 +Subject: [PATCH] net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is + AUTH capable + +[ Upstream commit ec0223ec48a90cb605244b45f7c62de856403729 ] + +RFC4895 introduced AUTH chunks for SCTP; during the SCTP +handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS +being optional though): + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + -------------------- COOKIE-ECHO --------------------> + <-------------------- COOKIE-ACK --------------------- + +A special case is when an endpoint requires COOKIE-ECHO +chunks to be authenticated: + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + ------------------ AUTH; COOKIE-ECHO ----------------> + <-------------------- COOKIE-ACK --------------------- + +RFC4895, section 6.3. Receiving Authenticated Chunks says: + + The receiver MUST use the HMAC algorithm indicated in + the HMAC Identifier field. If this algorithm was not + specified by the receiver in the HMAC-ALGO parameter in + the INIT or INIT-ACK chunk during association setup, the + AUTH chunk and all the chunks after it MUST be discarded + and an ERROR chunk SHOULD be sent with the error cause + defined in Section 4.1. [...] If no endpoint pair shared + key has been configured for that Shared Key Identifier, + all authenticated chunks MUST be silently discarded. [...] + + When an endpoint requires COOKIE-ECHO chunks to be + authenticated, some special procedures have to be followed + because the reception of a COOKIE-ECHO chunk might result + in the creation of an SCTP association. If a packet arrives + containing an AUTH chunk as a first chunk, a COOKIE-ECHO + chunk as the second chunk, and possibly more chunks after + them, and the receiver does not have an STCB for that + packet, then authentication is based on the contents of + the COOKIE-ECHO chunk. In this situation, the receiver MUST + authenticate the chunks in the packet by using the RANDOM + parameters, CHUNKS parameters and HMAC_ALGO parameters + obtained from the COOKIE-ECHO chunk, and possibly a local + shared secret as inputs to the authentication procedure + specified in Section 6.3. If authentication fails, then + the packet is discarded. If the authentication is successful, + the COOKIE-ECHO and all the chunks after the COOKIE-ECHO + MUST be processed. If the receiver has an STCB, it MUST + process the AUTH chunk as described above using the STCB + from the existing association to authenticate the + COOKIE-ECHO chunk and all the chunks after it. [...] + +Commit bbd0d59809f9 introduced the possibility to receive +and verification of AUTH chunk, including the edge case for +authenticated COOKIE-ECHO. On reception of COOKIE-ECHO, +the function sctp_sf_do_5_1D_ce() handles processing, +unpacks and creates a new association if it passed sanity +checks and also tests for authentication chunks being +present. After a new association has been processed, it +invokes sctp_process_init() on the new association and +walks through the parameter list it received from the INIT +chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO +and SCTP_PARAM_CHUNKS, and copies them into asoc->peer +meta data (peer_random, peer_hmacs, peer_chunks) in case +sysctl -w net.sctp.auth_enable=1 is set. If in INIT's +SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set, +peer_random != NULL and peer_hmacs != NULL the peer is to be +assumed asoc->peer.auth_capable=1, in any other case +asoc->peer.auth_capable=0. + +Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is +available, we set up a fake auth chunk and pass that on to +sctp_sf_authenticate(), which at latest in +sctp_auth_calculate_hmac() reliably dereferences a NULL pointer +at position 0..0008 when setting up the crypto key in +crypto_hash_setkey() by using asoc->asoc_shared_key that is +NULL as condition key_id == asoc->active_key_id is true if +the AUTH chunk was injected correctly from remote. This +happens no matter what net.sctp.auth_enable sysctl says. + +The fix is to check for net->sctp.auth_enable and for +asoc->peer.auth_capable before doing any operations like +sctp_sf_authenticate() as no key is activated in +sctp_auth_asoc_init_active_key() for each case. + +Now as RFC4895 section 6.3 states that if the used HMAC-ALGO +passed from the INIT chunk was not used in the AUTH chunk, we +SHOULD send an error; however in this case it would be better +to just silently discard such a maliciously prepared handshake +as we didn't even receive a parameter at all. Also, as our +endpoint has no shared key configured, section 6.3 says that +MUST silently discard, which we are doing from now onwards. + +Before calling sctp_sf_pdiscard(), we need not only to free +the association, but also the chunk->auth_chunk skb, as +commit bbd0d59809f9 created a skb clone in that case. + +I have tested this locally by using netfilter's nfqueue and +re-injecting packets into the local stack after maliciously +modifying the INIT chunk (removing RANDOM; HMAC-ALGO param) +and the SCTP packet containing the COOKIE_ECHO (injecting +AUTH chunk before COOKIE_ECHO). Fixed with this patch applied. + +This fixes CVE-2014-0101 +Upstream-Status: Backport + +Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") +Signed-off-by: Daniel Borkmann <dborkman@redhat.com> +Cc: Vlad Yasevich <yasevich@gmail.com> +Cc: Neil Horman <nhorman@tuxdriver.com> +Acked-by: Vlad Yasevich <vyasevich@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + net/sctp/sm_statefuns.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c +index dfe3f36..56ebe71 100644 +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -768,6 +768,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net, + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + } + ++ /* Make sure that we and the peer are AUTH capable */ ++ if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) { ++ kfree_skb(chunk->auth_chunk); ++ sctp_association_free(new_asoc); ++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); ++ } ++ + /* set-up our fake chunk so that we can process it */ + auth.skb = chunk->auth_chunk; + auth.asoc = chunk->asoc; +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-qoriq.inc b/recipes-kernel/linux/linux-qoriq.inc new file mode 100644 index 00000000..a832b46a --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq.inc @@ -0,0 +1,46 @@ +inherit kernel qoriq_build_64bit_kernel +require recipes-kernel/linux/linux-dtb.inc + +DESCRIPTION = "Linux kernel for Freescale platforms" +SECTION = "kernel" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7" + +KSRC ?= "" +S = '${@base_conditional("KSRC", "", "${WORKDIR}/git", "${KSRC}", d)}' + +DEPENDS_append = " libgcc" +KERNEL_CC_append = " ${TOOLCHAIN_OPTIONS}" +KERNEL_LD_append = " ${TOOLCHAIN_OPTIONS}" + +SCMVERSION ?= "y" +DELTA_KERNEL_DEFCONFIG ?= "" +do_configure_prepend() { + # copy desired defconfig so we pick it up for the real kernel_do_configure + cp ${KERNEL_DEFCONFIG} ${B}/.config + + # add config fragments + for deltacfg in ${DELTA_KERNEL_DEFCONFIG}; do + if [ -f "${deltacfg}" ]; then + ${S}/scripts/kconfig/merge_config.sh -m .config ${deltacfg} + elif [ -f "${S}/arch/powerpc/configs/${deltacfg}" ]; then + ${S}/scripts/kconfig/merge_config.sh -m .config \ + ${S}/arch/powerpc/configs/${deltacfg} + fi + done + + #add git revision to the local version + if [ "${SCMVERSION}" = "y" ]; then + # append sdk version if SDK_VERSION is defined + sdkversion='' + if [ -n "${SDK_VERSION}" ]; then + sdkversion="-${SDK_VERSION}" + fi + head=`git --git-dir=${S}/.git rev-parse --verify --short HEAD 2> /dev/null` + printf "%s%s%s" $sdkversion +g $head > ${B}/.scmversion + fi +} + +# make everything compatible for the time being +COMPATIBLE_MACHINE_$MACHINE = "$MACHINE" + diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb new file mode 100644 index 00000000..3e0ab954 --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -0,0 +1,7 @@ +require recipes-kernel/linux/linux-qoriq.inc + +SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ + file://modify-defconfig-t1040-nr-cpus.patch \ + file://net-sctp-CVE-2014-0101.patch \ +" +SRCREV = "f488de6741d5ba805b9fe813d2ddf32368d3a888" |