@@ -2,7 +2,7 @@

 Summary:       Kernel

 Name:          linux-esx

 Version:       4.4.20

-Release:       6%{?dist}

+Release:       7%{?dist}

 License:       GPLv2

 URL:           http://www.kernel.org/

 Group:         System Environment/Kernel

@@ -39,6 +39,8 @@ Patch21:       vmci-1.1.5.0-doorbell-create-and-destroy-fixes.patch

 Patch22:       ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch

 #fixes CVE-2016-8666

 Patch23:       tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch

+#fixes CVE-2016-7039

+Patch24:        net-add-recursion-limit-to-GRO.patch

 BuildRequires: bc

 BuildRequires: kbd

 BuildRequires: kmod

@@ -97,6 +99,7 @@ The Linux package contains the Linux kernel doc files

 %patch21 -p1

 %patch22 -p1

 %patch23 -p1

+%patch24 -p1

 %build

 # patch vmw_balloon driver

@@ -168,6 +171,8 @@ ln -sf %{name}-%{version}-%{release}.cfg /boot/photon.cfg

 /usr/src/%{name}-headers-%{version}-%{release}

 %changelog

+*   Wed Oct 19 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-7

+-   net-add-recursion-limit-to-GRO.patch

 *   Tue Oct 18 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-6

 -   ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch

 -   tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch

@@ -2,7 +2,7 @@

 Summary:        Kernel

 Name:           linux

 Version:    	4.4.20

-Release:    	5%{?dist}

+Release:    	6%{?dist}

 License:    	GPLv2

 URL:        	http://www.kernel.org/

 Group:        	System Environment/Kernel

@@ -35,6 +35,10 @@ Patch16:        keys-fix-asn.1-indefinite-length-object-parsing.patch

 Patch17:        ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch

 #fixes CVE-2016-8666

 Patch18:        tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch

+#fixes CVE-2016-7039

+Patch19:        net-add-recursion-limit-to-GRO.patch

+#fixes CVE-2016-7425

+Patch20:        scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch

 BuildRequires:  bc

 BuildRequires:  kbd

 BuildRequires:  kmod

@@ -109,6 +113,8 @@ Kernel driver for oprofile, a statistical profiler for Linux systems

 %patch16 -p1

 %patch17 -p1

 %patch18 -p1

+%patch19 -p1

+%patch20 -p1

 %build

 make mrproper

@@ -206,6 +212,9 @@ ln -s /usr/lib/debug/lib/modules/%{version}/vmlinux-%{version}-%{release}.debug

 /lib/modules/%{version}/kernel/arch/x86/oprofile/

 %changelog

+*   Wed Oct 19 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-6

+-   net-add-recursion-limit-to-GRO.patch

+-   scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch

 *   Tue Oct 18 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-5

 -   ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch

 -   tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch

new file mode 100644

@@ -0,0 +1,227 @@

+From: Sabrina Dubroca <sd@queasysnail.net>

+Date: Thu, 15 Sep 2016 10:49:30 +0200

+Subject: net: add recursion limit to GRO

+Patch-mainline: Not yet, embargoed (likely v4.9-rc1)

+References: CVE-2016-7039 bsc#1001486

+

+Currently, GRO can do unlimited recursion through the gro_receive

+handlers.  This was fixed for tunneling protocols by limiting tunnel GRO

+to one level with encap_mark, but both VLAN and TEB still have this

+problem.  Thus, the kernel is vulnerable to a stack overflow, if we

+receive a packet composed entirely of VLAN headers.

+

+This patch adds a recursion counter to the GRO layer to prevent stack

+overflow.  When a gro_receive function hits the recursion limit, GRO is

+aborted for this skb and it is processed normally.

+

+Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")

+Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")

+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>

+Reviewed-by: Jiri Benc <jbenc@redhat.com>

+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>

+Acked-by: Michal Kubecek <mkubecek@suse.cz>

+---

+ drivers/net/geneve.c      |  2 +-

+ drivers/net/vxlan.c       |  2 +-

+ include/linux/netdevice.h | 24 +++++++++++++++++++++++-

+ net/8021q/vlan.c          |  2 +-

+ net/core/dev.c            |  1 +

+ net/ethernet/eth.c        |  2 +-

+ net/ipv4/af_inet.c        |  2 +-

+ net/ipv4/fou.c            |  4 ++--

+ net/ipv4/gre_offload.c    |  2 +-

+ net/ipv4/udp_offload.c    |  8 +++++++-

+ net/ipv6/ip6_offload.c    |  2 +-

+ 11 files changed, 40 insertions(+), 11 deletions(-)

+

+diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c

+index 3c20e87bb761..16af1ce99233 100644

+--- a/drivers/net/geneve.c

+@@ -453,7 +453,7 @@ static struct sk_buff **geneve_gro_receive(struct sock *sk,

+ 

+ 	skb_gro_pull(skb, gh_len);

+ 	skb_gro_postpull_rcsum(skb, gh, gh_len);

+-	pp = ptype->callbacks.gro_receive(head, skb);

++	pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);

+ 

+ out_unlock:

+ 	rcu_read_unlock();

+diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c

+index 6e65832051d6..5ae664c02528 100644

+--- a/drivers/net/vxlan.c

+@@ -584,7 +584,7 @@ static struct sk_buff **vxlan_gro_receive(struct sock *sk,

+ 		}

+ 	}

+ 

+-	pp = eth_gro_receive(head, skb);

++	pp = call_gro_receive(eth_gro_receive, head, skb);

+ 

+ out:

+ 	skb_gro_remcsum_cleanup(skb, &grc);

+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h

+index e8d79d4ebcfe..a41b22ce9172 100644

+--- a/include/linux/netdevice.h

+@@ -2154,7 +2154,10 @@ struct napi_gro_cb {

+ 	/* Used in foo-over-udp, set in udp[46]_gro_receive */

+ 	u8	is_ipv6:1;

+ 

+-	/* 7 bit hole */

++	/* Number of gro_receive callbacks this packet already went through */

++	u8 recursion_counter:4;

++

++	/* 3 bit hole */

+ 

+ 	/* used to support CHECKSUM_COMPLETE for tunneling protocols */

+ 	__wsum	csum;

+@@ -2165,6 +2168,25 @@ struct napi_gro_cb {

+ 

+ #define NAPI_GRO_CB(skb) ((struct napi_gro_cb *)(skb)->cb)

+ 

++#define GRO_RECURSION_LIMIT 15

++static inline int gro_recursion_inc_test(struct sk_buff *skb)

++{

++	return ++NAPI_GRO_CB(skb)->recursion_counter == GRO_RECURSION_LIMIT;

++}

++

++typedef struct sk_buff **(*gro_receive_t)(struct sk_buff **, struct sk_buff *);

++static inline struct sk_buff **call_gro_receive(gro_receive_t cb,

++						struct sk_buff **head,

++						struct sk_buff *skb)

++{

++	if (gro_recursion_inc_test(skb)) {

++		NAPI_GRO_CB(skb)->flush |= 1;

++		return NULL;

++	}

++

++	return cb(head, skb);

++}

++

+ struct packet_type {

+ 	__be16			type;	/* This is really htons(ether_type). */

+ 	struct net_device	*dev;	/* NULL is wildcarded here	     */

+diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c

+index 8de138d3306b..f2531ad66b68 100644

+--- a/net/8021q/vlan.c

+@@ -664,7 +664,7 @@ static struct sk_buff **vlan_gro_receive(struct sk_buff **head,

+ 

+ 	skb_gro_pull(skb, sizeof(*vhdr));

+ 	skb_gro_postpull_rcsum(skb, vhdr, sizeof(*vhdr));

+-	pp = ptype->callbacks.gro_receive(head, skb);

++	pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);

+ 

+ out_unlock:

+ 	rcu_read_unlock();

+diff --git a/net/core/dev.c b/net/core/dev.c

+index ea6312057a71..7f34d2e45218 100644

+--- a/net/core/dev.c

+@@ -4496,6 +4496,7 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff

+ 		NAPI_GRO_CB(skb)->flush = 0;

+ 		NAPI_GRO_CB(skb)->free = 0;

+ 		NAPI_GRO_CB(skb)->encap_mark = 0;

++		NAPI_GRO_CB(skb)->recursion_counter = 0;

+ 		NAPI_GRO_CB(skb)->gro_remcsum_start = 0;

+ 

+ 		/* Setup for GRO checksum validation */

+diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c

+index 66dff5e3d772..02acfff36028 100644

+--- a/net/ethernet/eth.c

+@@ -439,7 +439,7 @@ struct sk_buff **eth_gro_receive(struct sk_buff **head,

+ 

+ 	skb_gro_pull(skb, sizeof(*eh));

+ 	skb_gro_postpull_rcsum(skb, eh, sizeof(*eh));

+-	pp = ptype->callbacks.gro_receive(head, skb);

++	pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);

+ 

+ out_unlock:

+ 	rcu_read_unlock();

+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c

+index 55513e654d79..eebbc0f2baa8 100644

+--- a/net/ipv4/af_inet.c

+@@ -1388,7 +1388,7 @@ struct sk_buff **inet_gro_receive(struct sk_buff **head, struct sk_buff *skb)

+ 	skb_gro_pull(skb, sizeof(*iph));

+ 	skb_set_transport_header(skb, skb_gro_offset(skb));

+ 

+-	pp = ops->callbacks.gro_receive(head, skb);

++	pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);

+ 

+ out_unlock:

+ 	rcu_read_unlock();

+diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c

+index 321d57f825ce..5351b61ab8d3 100644

+--- a/net/ipv4/fou.c

+@@ -249,7 +249,7 @@ static struct sk_buff **fou_gro_receive(struct sock *sk,

+ 	if (!ops || !ops->callbacks.gro_receive)

+ 		goto out_unlock;

+ 

+-	pp = ops->callbacks.gro_receive(head, skb);

++	pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);

+ 

+ out_unlock:

+ 	rcu_read_unlock();

+@@ -441,7 +441,7 @@ next_proto:

+ 	if (WARN_ON_ONCE(!ops || !ops->callbacks.gro_receive))

+ 		goto out_unlock;

+ 

+-	pp = ops->callbacks.gro_receive(head, skb);

++	pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);

+ 

+ out_unlock:

+ 	rcu_read_unlock();

+diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c

+index ecd1e09dbbf1..6871f59cd0c0 100644

+--- a/net/ipv4/gre_offload.c

+@@ -227,7 +227,7 @@ static struct sk_buff **gre_gro_receive(struct sk_buff **head,

+ 	/* Adjusted NAPI_GRO_CB(skb)->csum after skb_gro_pull()*/

+ 	skb_gro_postpull_rcsum(skb, greh, grehlen);

+ 

+-	pp = ptype->callbacks.gro_receive(head, skb);

++	pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);

+ 

+ out_unlock:

+ 	rcu_read_unlock();

+diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c

+index 81f253b6ff36..92677d9dded6 100644

+--- a/net/ipv4/udp_offload.c

+@@ -293,8 +293,14 @@ unflush:

+ 	skb_gro_pull(skb, sizeof(struct udphdr)); /* pull encapsulating udp header */

+ 	skb_gro_postpull_rcsum(skb, uh, sizeof(struct udphdr));

+ 	NAPI_GRO_CB(skb)->proto = uo_priv->offload->ipproto;

+-	pp = uo_priv->offload->callbacks.gro_receive(head, skb,

+-						     uo_priv->offload);

++

++	if (gro_recursion_inc_test(skb)) {

++		flush = 1;

++		pp = NULL;

++	} else {

++		pp = uo_priv->offload->callbacks.gro_receive(head, skb,

++							     uo_priv->offload);

++	}

+ 

+ out_unlock:

+ 	rcu_read_unlock();

+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c

+index 22e90e56b5a9..a09418bda1f8 100644

+--- a/net/ipv6/ip6_offload.c

+@@ -243,7 +243,7 @@ static struct sk_buff **ipv6_gro_receive(struct sk_buff **head,

+ 

+ 	skb_gro_postpull_rcsum(skb, iph, nlen);

+ 

+-	pp = ops->callbacks.gro_receive(head, skb);

++	pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);

+ 

+ out_unlock:

+ 	rcu_read_unlock();

+-- 

+2.10.0

+

new file mode 100644

@@ -0,0 +1,46 @@

+From 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 Mon Sep 17 00:00:00 2001

+From: Dan Carpenter <dan.carpenter@oracle.com>

+Date: Thu, 15 Sep 2016 16:44:56 +0300

+Subject: scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()

+

+We need to put an upper bound on "user_len" so the memcpy() doesn't

+overflow.

+

+Cc: <stable@vger.kernel.org>

+Reported-by: Marco Grassi <marco.gra@gmail.com>

+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

+Reviewed-by: Tomas Henzl <thenzl@redhat.com>

+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

+---

+ drivers/scsi/arcmsr/arcmsr_hba.c | 8 +++++++-

+ 1 file changed, 7 insertions(+), 1 deletion(-)

+

+diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c

+index 7640498..110eca9 100644

+--- a/drivers/scsi/arcmsr/arcmsr_hba.c

+@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,

+ 	}

+ 	case ARCMSR_MESSAGE_WRITE_WQBUFFER: {

+ 		unsigned char *ver_addr;

+-		int32_t user_len, cnt2end;

++		uint32_t user_len;

++		int32_t cnt2end;

+ 		uint8_t *pQbuffer, *ptmpuserbuffer;

+ 		ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);

+ 		if (!ver_addr) {

+@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,

+ 		}

+ 		ptmpuserbuffer = ver_addr;

+ 		user_len = pcmdmessagefld->cmdmessage.Length;

++		if (user_len > ARCMSR_API_DATA_BUFLEN) {

++			retvalue = ARCMSR_MESSAGE_FAIL;

++			kfree(ver_addr);

++			goto message_out;

++		}

+ 		memcpy(ptmpuserbuffer,

+ 			pcmdmessagefld->messagedatabuffer, user_len);

+ 		spin_lock_irqsave(&acb->wqbuffer_lock, flags);

+-- 

+cgit v0.12

+