(Compile fix) Fix backported security fix for CVE-2020-14386

anthraxx / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening

Other

554 stars 55 forks source link

(Compile fix) Fix backported security fix for CVE-2020-14386 #51

Closed flawedworld closed 3 years ago

flawedworld commented 3 years ago

The patch sent to the mailing list for the latest kernel requires this commit to build. This is also relevant to 4.14.

Compilation will fail otherwise giving:

net/packet/af_packet.c:2230:19: error: no member named 'tp_drops' in 'struct packet_sock' atomic_inc(&po->tp_drops); ~~ ^

anthraxx commented 3 years ago

so, its not as easy as just cherry picking another patch, this is just a tiny part of the whole "packet-DDOS" merge that misses some important bits. I think its a safer call to fix the patch independently for pre refactoring trees.

I gonna test a different approach, it looks we can simply replace the code with using the old spin locking mechanism. something like:

if (netoff > USHRT_MAX) {
    spin_lock(&sk->sk_receive_queue.lock);
    po->stats.stats1.tp_drops++;
    spin_unlock(&sk->sk_receive_queue.lock);
    goto drop_n_restore;
}

I gonna spend some testing time and adjust the faulty backport for the pre refactoring trees.

flawedworld commented 3 years ago

Sounds good, I wont lie, my solution is lazy, but I do agree with you.

anthraxx commented 3 years ago

@flawedworld can you give patch 7b00ca2937e76d738badb5c5bd9d261dc408fa51 a try?

flawedworld commented 3 years ago

@anthraxx Yeah, I'll see if I can sneak a compile in before I wrap up for the day, otherwise I will try tomorrow.

flawedworld commented 3 years ago

@anthraxx Compiled fine for me. Looks good!

anthraxx commented 3 years ago

patch adjusted in 4.14 and 4.19 tree