Update to 3.12.1
svn path=/dists/trunk/linux/; revision=20818
This commit is contained in:
parent
94bed1121b
commit
6bbeff05ba
|
@ -1,4 +1,7 @@
|
||||||
linux (3.12-1~exp2) UNRELEASED; urgency=low
|
linux (3.12.1-1~exp1) UNRELEASED; urgency=low
|
||||||
|
|
||||||
|
* New upstream stable update:
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.1
|
||||||
|
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* [rt] Update to 3.12.0-rt2 and reenable
|
* [rt] Update to 3.12.0-rt2 and reenable
|
||||||
|
|
|
@ -1,82 +0,0 @@
|
||||||
From: Ben Hutchings <ben@decadent.org.uk>
|
|
||||||
Date: Thu, 31 Oct 2013 02:24:12 +0000
|
|
||||||
Subject: net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348)
|
|
||||||
|
|
||||||
Jason Wang <jasowang@redhat.com> writes:
|
|
||||||
(via linux-distros@vs.openwall.org etc.)
|
|
||||||
> There's a deadloop path in skb_flow_dissect():
|
|
||||||
>
|
|
||||||
> bool skb_flow_dissect(const struct sk_buff *skb, struct flow_keys *flow)
|
|
||||||
> {
|
|
||||||
> ..
|
|
||||||
>
|
|
||||||
> ip:
|
|
||||||
> iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
|
|
||||||
> if (!iph)
|
|
||||||
> return false;
|
|
||||||
>
|
|
||||||
> if (ip_is_fragment(iph))
|
|
||||||
> ip_proto = 0;
|
|
||||||
> else
|
|
||||||
> ip_proto = iph->protocol;
|
|
||||||
> iph_to_flow_copy_addrs(flow, iph);
|
|
||||||
> nhoff += iph->ihl * 4;
|
|
||||||
> break;
|
|
||||||
> ..
|
|
||||||
>
|
|
||||||
> Here the code does not check whether iph->ihl is zero which may cause
|
|
||||||
> deadloop if a malicous IPIP packet whose ihl is zero. See the above
|
|
||||||
> codes for IPIP. Since the pointer was not move ahead.
|
|
||||||
>
|
|
||||||
> ..
|
|
||||||
> case IPPROTO_IPIP:
|
|
||||||
> proto = htons(ETH_P_IP);
|
|
||||||
> goto ip;
|
|
||||||
> ..
|
|
||||||
> }
|
|
||||||
>
|
|
||||||
> skb_flow_dissect() were used by several places:
|
|
||||||
> - packet scheduler that want classify flows
|
|
||||||
> - skb_get_rxhash() that will be used by RPS, vxlan, multiqueue
|
|
||||||
> tap,macvtap packet fanout
|
|
||||||
> - skb_probe_transport_header() which was used for probing transport
|
|
||||||
> header for DODGY packets
|
|
||||||
> - __skb_get_poff() which will be used by socket filter
|
|
||||||
>
|
|
||||||
> So this could be used to DOS both local and remote machine.
|
|
||||||
>
|
|
||||||
> I was able to
|
|
||||||
>
|
|
||||||
> - DOS the local host machine
|
|
||||||
> - DOS the local host machine by run the reproducer in guest
|
|
||||||
> - DOS one guest with RPS enabled by running the reproducer in another
|
|
||||||
> guest in the same host.
|
|
||||||
>
|
|
||||||
> I believe it could be also used to DOS a remote machine, but I didn't try.
|
|
||||||
>
|
|
||||||
> The issue were introduced by commit
|
|
||||||
> 0744dd00c1b1be99a25b62b1b48df440e82e57e0 (net: introduce
|
|
||||||
> skb_flow_dissect()).
|
|
||||||
>
|
|
||||||
> The fix looks easy, just fail when iph->ihl is zero.
|
|
||||||
|
|
||||||
Accepting any positive value means we can still be made to loop nearly
|
|
||||||
skb->len / 4 times in some cases. But all values < 5 are invalid, so
|
|
||||||
let's reject them and reduce that to skb->len / 20.
|
|
||||||
|
|
||||||
We should probably set a constant limit on the loop count as well, but
|
|
||||||
I'm not sure what the limit should be.
|
|
||||||
|
|
||||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
||||||
---
|
|
||||||
--- a/net/core/flow_dissector.c
|
|
||||||
+++ b/net/core/flow_dissector.c
|
|
||||||
@@ -40,7 +40,7 @@ again:
|
|
||||||
struct iphdr _iph;
|
|
||||||
ip:
|
|
||||||
iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
|
|
||||||
- if (!iph)
|
|
||||||
+ if (!iph || iph->ihl < 5)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
if (ip_is_fragment(iph))
|
|
|
@ -75,5 +75,4 @@ features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch
|
||||||
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
|
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
|
||||||
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
|
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
|
||||||
bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
|
bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
|
||||||
bugfix/all/CVE-2013-4348.patch
|
|
||||||
bugfix/all/perf-ftrace-Fix-paranoid-level-for-enabling-function.patch
|
bugfix/all/perf-ftrace-Fix-paranoid-level-for-enabling-function.patch
|
||||||
|
|
Loading…
Reference in New Issue