From patchwork Wed Dec 7 16:58:05 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Bader X-Patchwork-Id: 129992 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 0DC461007D3 for ; Thu, 8 Dec 2011 03:58:19 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1RYKor-0005fY-Cs; Wed, 07 Dec 2011 16:58:09 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1RYKoo-0005fL-T3 for kernel-team@lists.ubuntu.com; Wed, 07 Dec 2011 16:58:06 +0000 Received: from p5b2e4a3e.dip.t-dialin.net ([91.46.74.62] helo=[192.168.2.5]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1RYKoo-0002W8-Q1; Wed, 07 Dec 2011 16:58:06 +0000 Message-ID: <4EDF9B1D.2080500@canonical.com> Date: Wed, 07 Dec 2011 17:58:05 +0100 From: Stefan Bader User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: Tim Gardner Subject: Re: APPLIED: [CVE-2011-1576] core: Fix memory leak/corruption on VLAN GRO_DROP References: <1316440807-9603-1-git-send-email-stefan.bader@canonical.com> <4E774DEA.6000604@canonical.com> <4EDF9873.6090605@canonical.com> In-Reply-To: <4EDF9873.6090605@canonical.com> X-Enigmail-Version: 1.4a1pre Cc: kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com Thats the alternate patch From dfba10cbc524968ee7eddb551a74fb0608b0af1c Mon Sep 17 00:00:00 2001 From: Benjamin Poirier Date: Wed, 30 Nov 2011 07:47:18 -0500 Subject: [PATCH 1/2] gro: reset vlan_tci on reuse This one liner is part of upstream commit 3701e51382a026cba10c60b03efabe534fba4ca4 Author: Jesse Gross vlan: Centralize handling of hardware acceleration. The bulk of that commit is a rework of the hardware assisted vlan tagging driver interface, and as such doesn't classify for -stable inclusion. The fix that is needed is a part of that commit but can work independently of the rest. This patch can avoid panics on the 2.6.32.y -stable kernels and is in the same spirit as mainline commits 66c46d7 gro: Reset dev pointer on reuse 6d152e2 gro: reset skb_iif on reuse which are already in -stable. For drivers using the vlan_gro_frags() interface, a packet with an invalid tci leads to GRO_DROP and napi_reuse_skb(). The skb has to be sanitized before being reused or we may send an skb with an invalid vlan_tci field up the stack where it is not expected. Signed-off-by: Benjamin Poirier Cc: Jesse Gross Acked-by: David S. Miller (picked with minor fuzz from the 2.6.32 longterm queue) CVE-2011-1576 BugLink: http://bugs.launchpad.net/bugs/844361 Signed-off-by: Stefan Bader --- net/core/dev.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/net/core/dev.c b/net/core/dev.c index 52ec7f4..f61bf98 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -3231,6 +3231,7 @@ void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb) { __skb_pull(skb, skb_headlen(skb)); skb_reserve(skb, NET_IP_ALIGN - skb_headroom(skb)); + skb->vlan_tci = 0; skb->dev = napi->dev; skb->skb_iif = 0; -- 1.7.5.4