4 files changed, 231 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch b/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch
new file mode 100644
index 00000000..7d109edb
--- /dev/null
+++ b/recipes-kernel/linux/files/modify-defconfig-t1040-nr-cpus.patch
@@ -0,0 +1,33 @@
+From 8545129540a5862b22aad03badb2a9f93bf29117 Mon Sep 17 00:00:00 2001
+From: Bob Cochran <yocto@mindchasers.com>
+Date: Mon, 3 Nov 2014 22:45:35 -0500
+Subject: [meta-fsl-ppc][PATCH] linux-qoriq: Change defconfig for T1040 to
+ match number of CPUS
+
+Having a number higher than necessary for NR_CPUS wastes memory by
+instantiating unnecessary structures in RAM.  An example is in the DPAA where
+DPAA_ETH_TX_QUEUES is defined based on NR_CPUS and used to create
+dozens of extra qman_fq structures.  Using the prior value of 24, which was
+left over from the T4240 created an additonal 60 frame queue structures alone.
+
+This has been tested on t1040rdb-64b.  .
+
+Signed-off-by: Bob Cochran <yocto@mindchasers.com>
+---
+ arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig b/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig
+index a401e7c..5542248 100644
+--- a/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig
++++ b/arch/powerpc/configs/corenet32_fmanv3l_smp_defconfig
+@@ -1,6 +1,6 @@
+ CONFIG_PPC_85xx=y
+ CONFIG_SMP=y
+-CONFIG_NR_CPUS=8
++CONFIG_NR_CPUS=4
+ CONFIG_EXPERIMENTAL=y
+ CONFIG_SYSVIPC=y
+ CONFIG_POSIX_MQUEUE=y
+--
+1.7.9.5
diff --git a/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
new file mode 100644
index 00000000..ddcb6c5d
--- /dev/null
+++ b/recipes-kernel/linux/files/net-sctp-CVE-2014-0101.patch
@@ -0,0 +1,145 @@
+From 00c53b02cb01976b35d37670a4b5c5d7a6ad3c62 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Mon, 3 Mar 2014 17:23:04 +0100
+Subject: [PATCH] net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is
+ AUTH capable
+
+[ Upstream commit ec0223ec48a90cb605244b45f7c62de856403729 ]
+
+RFC4895 introduced AUTH chunks for SCTP; during the SCTP
+handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS
+being optional though):
+
+  ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
+  <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
+  -------------------- COOKIE-ECHO -------------------->
+  <-------------------- COOKIE-ACK ---------------------
+
+A special case is when an endpoint requires COOKIE-ECHO
+chunks to be authenticated:
+
+  ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
+  <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
+  ------------------ AUTH; COOKIE-ECHO ---------------->
+  <-------------------- COOKIE-ACK ---------------------
+
+RFC4895, section 6.3. Receiving Authenticated Chunks says:
+
+  The receiver MUST use the HMAC algorithm indicated in
+  the HMAC Identifier field. If this algorithm was not
+  specified by the receiver in the HMAC-ALGO parameter in
+  the INIT or INIT-ACK chunk during association setup, the
+  AUTH chunk and all the chunks after it MUST be discarded
+  and an ERROR chunk SHOULD be sent with the error cause
+  defined in Section 4.1. [...] If no endpoint pair shared
+  key has been configured for that Shared Key Identifier,
+  all authenticated chunks MUST be silently discarded. [...]
+
+  When an endpoint requires COOKIE-ECHO chunks to be
+  authenticated, some special procedures have to be followed
+  because the reception of a COOKIE-ECHO chunk might result
+  in the creation of an SCTP association. If a packet arrives
+  containing an AUTH chunk as a first chunk, a COOKIE-ECHO
+  chunk as the second chunk, and possibly more chunks after
+  them, and the receiver does not have an STCB for that
+  packet, then authentication is based on the contents of
+  the COOKIE-ECHO chunk. In this situation, the receiver MUST
+  authenticate the chunks in the packet by using the RANDOM
+  parameters, CHUNKS parameters and HMAC_ALGO parameters
+  obtained from the COOKIE-ECHO chunk, and possibly a local
+  shared secret as inputs to the authentication procedure
+  specified in Section 6.3. If authentication fails, then
+  the packet is discarded. If the authentication is successful,
+  the COOKIE-ECHO and all the chunks after the COOKIE-ECHO
+  MUST be processed. If the receiver has an STCB, it MUST
+  process the AUTH chunk as described above using the STCB
+  from the existing association to authenticate the
+  COOKIE-ECHO chunk and all the chunks after it. [...]
+
+Commit bbd0d59809f9 introduced the possibility to receive
+and verification of AUTH chunk, including the edge case for
+authenticated COOKIE-ECHO. On reception of COOKIE-ECHO,
+the function sctp_sf_do_5_1D_ce() handles processing,
+unpacks and creates a new association if it passed sanity
+checks and also tests for authentication chunks being
+present. After a new association has been processed, it
+invokes sctp_process_init() on the new association and
+walks through the parameter list it received from the INIT
+chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO
+and SCTP_PARAM_CHUNKS, and copies them into asoc->peer
+meta data (peer_random, peer_hmacs, peer_chunks) in case
+sysctl -w net.sctp.auth_enable=1 is set. If in INIT's
+SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set,
+peer_random != NULL and peer_hmacs != NULL the peer is to be
+assumed asoc->peer.auth_capable=1, in any other case
+asoc->peer.auth_capable=0.
+
+Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is
+available, we set up a fake auth chunk and pass that on to
+sctp_sf_authenticate(), which at latest in
+sctp_auth_calculate_hmac() reliably dereferences a NULL pointer
+at position 0..0008 when setting up the crypto key in
+crypto_hash_setkey() by using asoc->asoc_shared_key that is
+NULL as condition key_id == asoc->active_key_id is true if
+the AUTH chunk was injected correctly from remote. This
+happens no matter what net.sctp.auth_enable sysctl says.
+
+The fix is to check for net->sctp.auth_enable and for
+asoc->peer.auth_capable before doing any operations like
+sctp_sf_authenticate() as no key is activated in
+sctp_auth_asoc_init_active_key() for each case.
+
+Now as RFC4895 section 6.3 states that if the used HMAC-ALGO
+passed from the INIT chunk was not used in the AUTH chunk, we
+SHOULD send an error; however in this case it would be better
+to just silently discard such a maliciously prepared handshake
+as we didn't even receive a parameter at all. Also, as our
+endpoint has no shared key configured, section 6.3 says that
+MUST silently discard, which we are doing from now onwards.
+
+Before calling sctp_sf_pdiscard(), we need not only to free
+the association, but also the chunk->auth_chunk skb, as
+commit bbd0d59809f9 created a skb clone in that case.
+
+I have tested this locally by using netfilter's nfqueue and
+re-injecting packets into the local stack after maliciously
+modifying the INIT chunk (removing RANDOM; HMAC-ALGO param)
+and the SCTP packet containing the COOKIE_ECHO (injecting
+AUTH chunk before COOKIE_ECHO). Fixed with this patch applied.
+
+This fixes CVE-2014-0101
+Upstream-Status: Backport
+
+Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Cc: Vlad Yasevich <yasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/sctp/sm_statefuns.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index dfe3f36..56ebe71 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -768,6 +768,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(struct net *net,
+ 			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+ 		}
+ 
++		/* Make sure that we and the peer are AUTH capable */
++		if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
++			kfree_skb(chunk->auth_chunk);
++			sctp_association_free(new_asoc);
++			return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++		}
++
+ 		/* set-up our fake chunk so that we can process it */
+ 		auth.skb = chunk->auth_chunk;
+ 		auth.asoc = chunk->asoc;
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq.inc b/recipes-kernel/linux/linux-qoriq.inc
new file mode 100644
index 00000000..a832b46a
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq.inc
@@ -0,0 +1,46 @@
+inherit kernel qoriq_build_64bit_kernel
+require recipes-kernel/linux/linux-dtb.inc
+
+DESCRIPTION = "Linux kernel for Freescale platforms"
+SECTION = "kernel"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"
+
+KSRC ?= ""
+S = '${@base_conditional("KSRC", "", "${WORKDIR}/git", "${KSRC}", d)}'
+
+DEPENDS_append = " libgcc"
+KERNEL_CC_append = " ${TOOLCHAIN_OPTIONS}"
+KERNEL_LD_append = " ${TOOLCHAIN_OPTIONS}"
+
+SCMVERSION ?= "y"
+DELTA_KERNEL_DEFCONFIG ?= ""
+do_configure_prepend() {
+	# copy desired defconfig so we pick it up for the real kernel_do_configure
+	cp ${KERNEL_DEFCONFIG} ${B}/.config
+
+	# add config fragments
+	for deltacfg in ${DELTA_KERNEL_DEFCONFIG}; do
+		if [ -f "${deltacfg}" ]; then
+			${S}/scripts/kconfig/merge_config.sh -m .config ${deltacfg}
+		elif [ -f "${S}/arch/powerpc/configs/${deltacfg}" ]; then
+		    ${S}/scripts/kconfig/merge_config.sh -m .config \
+			    ${S}/arch/powerpc/configs/${deltacfg}
+		fi
+	done
+
+    #add git revision to the local version
+    if [ "${SCMVERSION}" = "y" ]; then
+            # append sdk version if SDK_VERSION is defined
+            sdkversion=''
+            if [ -n "${SDK_VERSION}" ]; then
+                sdkversion="-${SDK_VERSION}"
+            fi
+            head=`git --git-dir=${S}/.git rev-parse --verify --short HEAD 2> /dev/null`
+            printf "%s%s%s" $sdkversion +g $head > ${B}/.scmversion
+    fi
+}
+
+# make everything compatible for the time being
+COMPATIBLE_MACHINE_$MACHINE = "$MACHINE"
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
new file mode 100644
index 00000000..3e0ab954
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -0,0 +1,7 @@
+require recipes-kernel/linux/linux-qoriq.inc
+
+SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
+    file://modify-defconfig-t1040-nr-cpus.patch \
+    file://net-sctp-CVE-2014-0101.patch \
+"
+SRCREV = "f488de6741d5ba805b9fe813d2ddf32368d3a888"