Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolai Stange <nstange@suse.de>2018-09-07 12:40:38 +0200
committerMiroslav Benes <mbenes@suse.cz>2018-09-10 15:36:09 +0200
commit7c947cdf5cb56795e50e01dc465912cc552a3dd9 (patch)
treec0f18b14e49c6099994087d2814522c07cfa74c3
parent4aed7d2d62b2696cbca6caf269af8bd45a3ad1bd (diff)
Fix for CVE-2018-1000026 ("Improper validation in bnx2x network card driver can allow for DoS attacks via crafted packet")
Live patch for CVE-2018-1000026. Upstream commit 8914a595110a ("bnx2x: disable GSO where gso_size is too big for hardware"). KLP: CVE-2018-1000026 References: bsc#1096723 CVE-2018-1000026 Signed-off-by: Nicolai Stange <nstange@suse.de> [ mb: make kgr_skb_gso_validate_mac_len() static ] Signed-off-by: Miroslav Benes <mbenes@suse.cz>
-rw-r--r--bsc1096723/kgr_patch_bsc1096723.c99
-rw-r--r--bsc1096723/kgr_patch_bsc1096723.h22
2 files changed, 121 insertions, 0 deletions
diff --git a/bsc1096723/kgr_patch_bsc1096723.c b/bsc1096723/kgr_patch_bsc1096723.c
new file mode 100644
index 0000000..5b3d4e9
--- /dev/null
+++ b/bsc1096723/kgr_patch_bsc1096723.c
@@ -0,0 +1,99 @@
+/*
+ * kgraft_patch_bsc1096723
+ *
+ * Fix for CVE-2018-1000026, bsc#1096723
+ *
+ * Upstream commits:
+ * 2b16f048729b ("net: create skb_gso_validate_mac_len()")
+ * 8914a595110a ("bnx2x: disable GSO where gso_size is too big for hardware")
+ *
+ * SLE12(-SP1) commits:
+ * none yet
+ *
+ * SLE12-SP2 commits:
+ * 14f582fc9ad9687bd87dc8bae0363b6b579f0d6c
+ * f6d5e3598463dc3f2e6ba19558f0ecbc4d7cf9ef
+ *
+ * SLE12-SP3 commits:
+ * 5eb4578abf5a90771c23ab2893c9b1857871f7d3
+ * 7bd42f8c29fa0a9f713e1062ebf9bcb20a825f0a
+ *
+ * SLE15 commits:
+ * f2e13b50306dd366583f44c03273b0f714f184d5
+ * d647fd13fdfd2f43651342d5e95522691eddca31
+ *
+ * Copyright (c) 2018 SUSE
+ * Author: Nicolai Stange <nstange@suse.de>
+ *
+ * Based on the original Linux kernel code. Other copyrights apply.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <linux/if_vlan.h>
+#include <net/vxlan.h>
+#include "kgr_patch_bsc1096723.h"
+
+#if !IS_MODULE(CONFIG_BNX2X)
+#error "Live patch supports only CONFIG_BNX2X=m."
+#endif
+
+
+/* new */
+static inline unsigned int kgr_skb_gso_mac_seglen(const struct sk_buff *skb)
+{
+ unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
+ return hdr_len + skb_gso_transport_seglen(skb);
+}
+
+/* new */
+static bool kgr_skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)
+{
+ return kgr_skb_gso_mac_seglen(skb) <= len;
+}
+
+/* patched */
+netdev_features_t kgr_bnx2x_features_check(struct sk_buff *skb,
+ struct net_device *dev,
+ netdev_features_t features)
+{
+ /*
+ * Fix CVE-2018-1000026
+ * +18 lines
+ */
+ /*
+ * A skb with gso_size + header length > 9700 will cause a
+ * firmware panic. Drop GSO support.
+ *
+ * Eventually the upper layer should not pass these packets down.
+ *
+ * For speed, if the gso_size is <= 9000, assume there will
+ * not be 700 bytes of headers and pass it through. Only do a
+ * full (slow) validation if the gso_size is > 9000.
+ *
+ * (Due to the way SKB_BY_FRAGS works this will also do a full
+ * validation in that case.)
+ */
+ if (unlikely(skb_is_gso(skb) &&
+ (skb_shinfo(skb)->gso_size > 9000) &&
+ !kgr_skb_gso_validate_mac_len(skb, 9700)))
+ features &= ~NETIF_F_GSO_MASK;
+
+ features = vlan_features_check(skb, features);
+ return vxlan_features_check(skb, features);
+}
diff --git a/bsc1096723/kgr_patch_bsc1096723.h b/bsc1096723/kgr_patch_bsc1096723.h
new file mode 100644
index 0000000..1be977a
--- /dev/null
+++ b/bsc1096723/kgr_patch_bsc1096723.h
@@ -0,0 +1,22 @@
+#ifndef _KGR_PATCH_BSC1096723_H
+#define _KGR_PATCH_BSC1096723_H
+
+#include <linux/netdev_features.h>
+
+static inline int kgr_patch_bsc1096723_init(void) { return 0; }
+
+static inline void kgr_patch_bsc1096723_cleanup(void) {}
+
+
+struct sk_buff;
+struct net_device;
+
+netdev_features_t kgr_bnx2x_features_check(struct sk_buff *skb,
+ struct net_device *dev,
+ netdev_features_t features);
+
+#define KGR_PATCH_BSC1096723_FUNCS \
+ KGR_PATCH_OBJ(bnx2x_features_check, kgr_bnx2x_features_check, \
+ "bnx2x"), \
+
+#endif /* _KGR_PATCH_BSC1096723_H */