| Message ID | 1322155618-11591-1-git-send-email-stefan.bader@canonical.com |
|---|---|
| State | New |
| Headers | show |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/24/2011 06:26 PM, Stefan Bader wrote: > > Somehow I am not sure anymore which topic branches are rebased and > which are not. Hopefully the magic status will tell as soon as the > master branches are updated and pushed... L/dove (that we don't support anymore), M/dove and O/omap4 are rebasable. All the others are not. P/omap4, hopefully, will be. - -- bye, p. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOzoCxAAoJEJdscTmfuQbQ2JoP/1y0P9c9tO6M0+arE54YVD0L QdBIz4eDlip5AYDVP98nZLg24WKsQSHAMSW3+/+ptejM1poqF3sgQc1zeayknr/U mCLKyrOlf+YvzQBc7V2DmMvRDJAbXjdQKhxIiUaidv01C5ZSzNS/5XLvqYsDilSg R5gwtUETM+JxDj3EuGJnmN81mWGTbsCUpB9K7vzQn3T+6jpEFrHElSeV1eAx8toh zAlhHYH9DuBkaVWr4BiCmtoI/T5qXe2hh7wrgAJpdN3UhlGot3QDnMyG5QP08FZk ssZVCQ4J+mM/NbrWKmY0sc9hPkkh0be20vrTwULFiXkH4iBingojZ1RLKBQPtGat YMu8FMXno9pXIW/Q/mVEHnAwh8lovCx95fcFfK228uL7VUsoUFqazj/Eq7BzxAsX HCJI4KgFip2Gh0bRNXW06mlPQ3PeBQuqXA9fi37rIhhEDntbHCIHs4bC5AjK6pU5 9bkTfvZ5DfcFP/uHypumXBJT/Gs6wX+OEZusVi54B5bc1J3KhM8zCBizBeL01rnm 2hEBn5JGYR2LgeAQdBTru8yUvOdej0uIrV713qwM/B/J475U3H2p+NcpAeaiW5Mb OrBNsHUrzYXUpZUuStem6HYOvEPeGSRi3RCKrrnQgbOIzvJDlsX1c28GE2vkyenA KdTxDJu+9LbxUSDPst9l =KPEO -----END PGP SIGNATURE-----
On Thu, Nov 24, 2011 at 06:26:58PM +0100, Stefan Bader wrote: > A bug was found in the way headroom check was performed in > udp6_ufo_fragment() function. A remote attacker could use this flaw to > crash the system. > > Natty to Precise got the fix pending at least. Anything before 2.6.32 > is not affected. For the rest it is a clean cherry-pick all the way > to Lucid. > > Somehow I am not sure anymore which topic branches are rebased and which > are not. Hopefully the magic status will tell as soon as the master > branches are updated and pushed... > > -Stefan > > From a9cf73ea7ff78f52662c8658d93c226effbbedde Mon Sep 17 00:00:00 2001 > From: Shan Wei <shanwei@cn.fujitsu.com> > Date: Tue, 19 Apr 2011 22:52:49 +0000 > Subject: [PATCH] ipv6: udp: fix the wrong headroom check > > At this point, skb->data points to skb_transport_header. > So, headroom check is wrong. > > For some case:bridge(UFO is on) + eth device(UFO is off), > there is no enough headroom for IPv6 frag head. > But headroom check is always false. > > This will bring about data be moved to there prior to skb->head, > when adding IPv6 frag header to skb. > > Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> > Acked-by: Herbert Xu <herbert@gondor.apana.org.au> > Signed-off-by: David S. Miller <davem@davemloft.net> > > BugLink: http://bugs.launchpad.net/bugs/894373 > CVE-2011-4326 > (cherry-picked from commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream) > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/ipv6/udp.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c > index 15c3774..9e305d74 100644 > --- a/net/ipv6/udp.c > +++ b/net/ipv6/udp.c > @@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features) > skb->ip_summed = CHECKSUM_NONE; > > /* Check if there is enough headroom to insert fragment header. */ > - if ((skb_headroom(skb) < frag_hdr_sz) && > + if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) && > pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC)) > goto out; > > -- > 1.7.5.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On Thu, Nov 24, 2011 at 06:26:58PM +0100, Stefan Bader wrote: > A bug was found in the way headroom check was performed in > udp6_ufo_fragment() function. A remote attacker could use this flaw to > crash the system. > > Natty to Precise got the fix pending at least. Anything before 2.6.32 > is not affected. For the rest it is a clean cherry-pick all the way > to Lucid. > > Somehow I am not sure anymore which topic branches are rebased and which > are not. Hopefully the magic status will tell as soon as the master > branches are updated and pushed... lucid/ec2 is a rebase (though has manual intervention) lucid/fsl-imx51 is not a rebase. lucid/mvl-dove & maverick/mvl-dove are rebased (lucid is off support but we rebase that to get maverick/mvl-dove). ti-omap4 before oneiric are not rebased, oneiric and later are. All of the lts-backport branches are effectivly rebased too. You can find the rebase applications I consider from a CVE standpoint in the kteam-tools/cve-tools/cve-rebase-transfer at the bottom. > From a9cf73ea7ff78f52662c8658d93c226effbbedde Mon Sep 17 00:00:00 2001 > From: Shan Wei <shanwei@cn.fujitsu.com> > Date: Tue, 19 Apr 2011 22:52:49 +0000 > Subject: [PATCH] ipv6: udp: fix the wrong headroom check > > At this point, skb->data points to skb_transport_header. > So, headroom check is wrong. > > For some case:bridge(UFO is on) + eth device(UFO is off), > there is no enough headroom for IPv6 frag head. > But headroom check is always false. > > This will bring about data be moved to there prior to skb->head, > when adding IPv6 frag header to skb. > > Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> > Acked-by: Herbert Xu <herbert@gondor.apana.org.au> > Signed-off-by: David S. Miller <davem@davemloft.net> > > BugLink: http://bugs.launchpad.net/bugs/894373 > CVE-2011-4326 > (cherry-picked from commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream) > Signed-off-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/ipv6/udp.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c > index 15c3774..9e305d74 100644 > --- a/net/ipv6/udp.c > +++ b/net/ipv6/udp.c > @@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features) > skb->ip_summed = CHECKSUM_NONE; > > /* Check if there is enough headroom to insert fragment header. */ > - if ((skb_headroom(skb) < frag_hdr_sz) && > + if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) && > pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC)) > goto out; > Matches the upstream commit and seems to do what is claimed. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
Applied to lucid, maverick, maverick/ti-omap4, and natty/ti-omap4. -apw
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 15c3774..9e305d74 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features) skb->ip_summed = CHECKSUM_NONE; /* Check if there is enough headroom to insert fragment header. */ - if ((skb_headroom(skb) < frag_hdr_sz) && + if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) && pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC)) goto out;