From 7f53998bd3726c808abf8b0c4950e25db29d9ea2 Mon Sep 17 00:00:00 2001
From: P Dheeraj Srujan Kumar
Date: Sat, 8 Jul 2023 03:35:27 +0530
Subject: Update to internal 1-1.11-1
Signed-off-by: P Dheeraj Srujan Kumar
---
.../linux/linux-aspeed/CVE-2020-36516.patch | 62 ++++++++++++++++++++++
1 file changed, 62 insertions(+)
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-36516.patch
(limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-36516.patch')
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-36516.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-36516.patch
new file mode 100644
index 000000000..dd44c9ce7
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2020-36516.patch
@@ -0,0 +1,62 @@
+From 23f57406b82de51809d5812afd96f210f8b627f3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet
+Date: Wed, 26 Jan 2022 17:10:22 -0800
+Subject: [PATCH] ipv4: avoid using shared IP generator for connected sockets
+
+ip_select_ident_segs() has been very conservative about using
+the connected socket private generator only for packets with IP_DF
+set, claiming it was needed for some VJ compression implementations.
+
+As mentioned in this referenced document, this can be abused.
+(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment)
+
+Before switching to pure random IPID generation and possibly hurt
+some workloads, lets use the private inet socket generator.
+
+Not only this will remove one vulnerability, this will also
+improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT
+
+Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count")
+Signed-off-by: Eric Dumazet
+Reviewed-by: David Ahern
+Reported-by: Ray Che
+Cc: Willy Tarreau
+Signed-off-by: Jakub Kicinski
+---
+ include/net/ip.h | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 81e23a102a0d5e..b51bae43b0ddb0 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -525,19 +525,18 @@ static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
+ {
+ struct iphdr *iph = ip_hdr(skb);
+
++ /* We had many attacks based on IPID, use the private
++ * generator as much as we can.
++ */
++ if (sk && inet_sk(sk)->inet_daddr) {
++ iph->id = htons(inet_sk(sk)->inet_id);
++ inet_sk(sk)->inet_id += segs;
++ return;
++ }
+ if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) {
+- /* This is only to work around buggy Windows95/2000
+- * VJ compression implementations. If the ID field
+- * does not change, they drop every other packet in
+- * a TCP stream using header compression.
+- */
+- if (sk && inet_sk(sk)->inet_daddr) {
+- iph->id = htons(inet_sk(sk)->inet_id);
+- inet_sk(sk)->inet_id += segs;
+- } else {
+- iph->id = 0;
+- }
++ iph->id = 0;
+ } else {
++ /* Unfortunately we need the big hammer to get a suitable IPID */
+ __ip_select_ident(net, iph, segs);
+ }
+ }
--
cgit v1.2.3