diff --git a/debian/changelog b/debian/changelog index 4784f0918..c8f2795f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -31,6 +31,8 @@ linux (4.19~rc3-1~exp2) UNRELEASED; urgency=medium * linux-image-*-signed-template: Override lintian warnings about non- executable scripts * [ia64] udeb: Fix priority of sn-modules + * Revert "Revert "net: increase fragment memory usage limits"", as 4.19 + includes a better fix for CVE-2018-5391 -- Ben Hutchings Mon, 10 Sep 2018 22:25:53 +0100 diff --git a/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch b/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch deleted file mode 100644 index eaa7d9f22..000000000 --- a/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Salvatore Bonaccorso -Date: Sat, 28 Jul 2018 16:48:31 +0200 -Subject: [PATCH] Revert "net: increase fragment memory usage limits" - -This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4. - -Revert commit as mitigation to FragmentSmack (CVE-2018-5391) -[bwh: Adjust context to apply to sid] ---- - include/net/ipv6.h | 4 ++-- - net/ipv4/ip_fragment.c | 22 +++++++--------------- - 2 files changed, 9 insertions(+), 17 deletions(-) - ---- a/include/net/ipv6.h -+++ b/include/net/ipv6.h -@@ -379,8 +379,8 @@ static inline bool ipv6_accept_ra(struct - idev->cnf.accept_ra; - } - --#define IPV6_FRAG_HIGH_THRESH (4 * 1024*1024) /* 4194304 */ --#define IPV6_FRAG_LOW_THRESH (3 * 1024*1024) /* 3145728 */ -+#define IPV6_FRAG_HIGH_THRESH (256 * 1024) /* 262144 */ -+#define IPV6_FRAG_LOW_THRESH (192 * 1024) /* 196608 */ - #define IPV6_FRAG_TIMEOUT (60 * HZ) /* 60 seconds */ - - int __ipv6_addr_type(const struct in6_addr *addr); ---- a/net/ipv4/ip_fragment.c -+++ b/net/ipv4/ip_fragment.c -@@ -788,22 +788,14 @@ static int __net_init ipv4_frags_init_ne - { - int res; - -- /* Fragment cache limits. -- * -- * The fragment memory accounting code, (tries to) account for -- * the real memory usage, by measuring both the size of frag -- * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue)) -- * and the SKB's truesize. -- * -- * A 64K fragment consumes 129736 bytes (44*2944)+200 -- * (1500 truesize == 2944, sizeof(struct ipq) == 200) -- * -- * We will commit 4MB at one time. Should we cross that limit -- * we will prune down to 3MB, making room for approx 8 big 64K -- * fragments 8x128k. -+ /* -+ * Fragment cache limits. We will commit 256K at one time. Should we -+ * cross that limit we will prune down to 192K. This should cope with -+ * even the most extreme cases without allowing an attacker to -+ * measurably harm machine performance. - */ -- net->ipv4.frags.high_thresh = 4 * 1024 * 1024; -- net->ipv4.frags.low_thresh = 3 * 1024 * 1024; -+ net->ipv4.frags.high_thresh = 256 * 1024; -+ net->ipv4.frags.low_thresh = 192 * 1024; - /* - * Important NOTE! Fragment queue must be destroyed before MSL expires. - * RFC791 is wrong proposing to prolongate timer each fragment arrival diff --git a/debian/patches/series b/debian/patches/series index 1bec250d3..4e3935530 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -131,7 +131,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch