Patchwork [Lucid,Maverick,M/ti-omap4,N/ti-omap4] CVE-2011-4326

login
register
mail settings
Submitter Stefan Bader
Date Nov. 24, 2011, 5:26 p.m.
Message ID <1322155618-11591-1-git-send-email-stefan.bader@canonical.com>
Download mbox | patch
Permalink /patch/127582/
State New
Headers show

Comments

Stefan Bader - Nov. 24, 2011, 5:26 p.m.
A bug was found in the way headroom check was performed in
udp6_ufo_fragment() function. A remote attacker could use this flaw to
crash the system.

Natty to Precise got the fix pending at least. Anything before 2.6.32
is not affected. For the rest it is a clean cherry-pick all the way
to Lucid.

Somehow I am not sure anymore which topic branches are rebased and which
are not. Hopefully the magic status will tell as soon as the master
branches are updated and pushed...

-Stefan

From a9cf73ea7ff78f52662c8658d93c226effbbedde Mon Sep 17 00:00:00 2001
From: Shan Wei <shanwei@cn.fujitsu.com>
Date: Tue, 19 Apr 2011 22:52:49 +0000
Subject: [PATCH] ipv6: udp: fix the wrong headroom check

At this point, skb->data points to skb_transport_header.
So, headroom check is wrong.

For some case:bridge(UFO is on) + eth device(UFO is off),
there is no enough headroom for IPv6 frag head.
But headroom check is always false.

This will bring about data be moved to there prior to skb->head,
when adding IPv6 frag header to skb.

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

BugLink: http://bugs.launchpad.net/bugs/894373
CVE-2011-4326
(cherry-picked from commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 net/ipv6/udp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
Paolo Pisati - Nov. 24, 2011, 5:36 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/24/2011 06:26 PM, Stefan Bader wrote:
> 
> Somehow I am not sure anymore which topic branches are rebased and
> which are not. Hopefully the magic status will tell as soon as the
> master branches are updated and pushed...

L/dove (that we don't support anymore), M/dove and O/omap4 are rebasable.

All the others are not.

P/omap4, hopefully, will be.
- -- 
bye,
p.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOzoCxAAoJEJdscTmfuQbQ2JoP/1y0P9c9tO6M0+arE54YVD0L
QdBIz4eDlip5AYDVP98nZLg24WKsQSHAMSW3+/+ptejM1poqF3sgQc1zeayknr/U
mCLKyrOlf+YvzQBc7V2DmMvRDJAbXjdQKhxIiUaidv01C5ZSzNS/5XLvqYsDilSg
R5gwtUETM+JxDj3EuGJnmN81mWGTbsCUpB9K7vzQn3T+6jpEFrHElSeV1eAx8toh
zAlhHYH9DuBkaVWr4BiCmtoI/T5qXe2hh7wrgAJpdN3UhlGot3QDnMyG5QP08FZk
ssZVCQ4J+mM/NbrWKmY0sc9hPkkh0be20vrTwULFiXkH4iBingojZ1RLKBQPtGat
YMu8FMXno9pXIW/Q/mVEHnAwh8lovCx95fcFfK228uL7VUsoUFqazj/Eq7BzxAsX
HCJI4KgFip2Gh0bRNXW06mlPQ3PeBQuqXA9fi37rIhhEDntbHCIHs4bC5AjK6pU5
9bkTfvZ5DfcFP/uHypumXBJT/Gs6wX+OEZusVi54B5bc1J3KhM8zCBizBeL01rnm
2hEBn5JGYR2LgeAQdBTru8yUvOdej0uIrV713qwM/B/J475U3H2p+NcpAeaiW5Mb
OrBNsHUrzYXUpZUuStem6HYOvEPeGSRi3RCKrrnQgbOIzvJDlsX1c28GE2vkyenA
KdTxDJu+9LbxUSDPst9l
=KPEO
-----END PGP SIGNATURE-----
Herton Ronaldo Krzesinski - Nov. 24, 2011, 5:46 p.m.
On Thu, Nov 24, 2011 at 06:26:58PM +0100, Stefan Bader wrote:
> A bug was found in the way headroom check was performed in
> udp6_ufo_fragment() function. A remote attacker could use this flaw to
> crash the system.
> 
> Natty to Precise got the fix pending at least. Anything before 2.6.32
> is not affected. For the rest it is a clean cherry-pick all the way
> to Lucid.
> 
> Somehow I am not sure anymore which topic branches are rebased and which
> are not. Hopefully the magic status will tell as soon as the master
> branches are updated and pushed...
> 
> -Stefan
> 
> From a9cf73ea7ff78f52662c8658d93c226effbbedde Mon Sep 17 00:00:00 2001
> From: Shan Wei <shanwei@cn.fujitsu.com>
> Date: Tue, 19 Apr 2011 22:52:49 +0000
> Subject: [PATCH] ipv6: udp: fix the wrong headroom check
> 
> At this point, skb->data points to skb_transport_header.
> So, headroom check is wrong.
> 
> For some case:bridge(UFO is on) + eth device(UFO is off),
> there is no enough headroom for IPv6 frag head.
> But headroom check is always false.
> 
> This will bring about data be moved to there prior to skb->head,
> when adding IPv6 frag header to skb.
> 
> Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> BugLink: http://bugs.launchpad.net/bugs/894373
> CVE-2011-4326
> (cherry-picked from commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  net/ipv6/udp.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 15c3774..9e305d74 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
>  	skb->ip_summed = CHECKSUM_NONE;
>  
>  	/* Check if there is enough headroom to insert fragment header. */
> -	if ((skb_headroom(skb) < frag_hdr_sz) &&
> +	if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
>  	    pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
>  		goto out;
>  
> -- 
> 1.7.5.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
Andy Whitcroft - Nov. 25, 2011, 8:44 a.m.
On Thu, Nov 24, 2011 at 06:26:58PM +0100, Stefan Bader wrote:
> A bug was found in the way headroom check was performed in
> udp6_ufo_fragment() function. A remote attacker could use this flaw to
> crash the system.
> 
> Natty to Precise got the fix pending at least. Anything before 2.6.32
> is not affected. For the rest it is a clean cherry-pick all the way
> to Lucid.
> 
> Somehow I am not sure anymore which topic branches are rebased and which
> are not. Hopefully the magic status will tell as soon as the master
> branches are updated and pushed...

lucid/ec2 is a rebase (though has manual intervention)

lucid/fsl-imx51 is not a rebase.

lucid/mvl-dove & maverick/mvl-dove are rebased (lucid is off support but
we rebase that to get maverick/mvl-dove).

ti-omap4 before oneiric are not rebased, oneiric and later are.

All of the lts-backport branches are effectivly rebased too.

You can find the rebase applications I consider from a CVE standpoint in
the kteam-tools/cve-tools/cve-rebase-transfer at the bottom.

> From a9cf73ea7ff78f52662c8658d93c226effbbedde Mon Sep 17 00:00:00 2001
> From: Shan Wei <shanwei@cn.fujitsu.com>
> Date: Tue, 19 Apr 2011 22:52:49 +0000
> Subject: [PATCH] ipv6: udp: fix the wrong headroom check
> 
> At this point, skb->data points to skb_transport_header.
> So, headroom check is wrong.
> 
> For some case:bridge(UFO is on) + eth device(UFO is off),
> there is no enough headroom for IPv6 frag head.
> But headroom check is always false.
> 
> This will bring about data be moved to there prior to skb->head,
> when adding IPv6 frag header to skb.
> 
> Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> BugLink: http://bugs.launchpad.net/bugs/894373
> CVE-2011-4326
> (cherry-picked from commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  net/ipv6/udp.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 15c3774..9e305d74 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
>  	skb->ip_summed = CHECKSUM_NONE;
>  
>  	/* Check if there is enough headroom to insert fragment header. */
> -	if ((skb_headroom(skb) < frag_hdr_sz) &&
> +	if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
>  	    pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
>  		goto out;
>  

Matches the upstream commit and seems to do what is claimed.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw
Andy Whitcroft - Nov. 25, 2011, 9:58 a.m.
Applied to lucid, maverick, maverick/ti-omap4, and natty/ti-omap4.

-apw

Patch

diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 15c3774..9e305d74 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1335,7 +1335,7 @@  static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
 	skb->ip_summed = CHECKSUM_NONE;
 
 	/* Check if there is enough headroom to insert fragment header. */
-	if ((skb_headroom(skb) < frag_hdr_sz) &&
+	if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
 	    pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
 		goto out;