From e090a7f60dd56451c041702b884607c86f1aba2f Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 14 Aug 2018 22:23:59 +0100 Subject: [PATCH] Revert "net: increase fragment memory usage limits" (CVE-2018-5391) --- debian/changelog | 1 + ...ncrease-fragment-memory-usage-limits.patch | 58 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 60 insertions(+) create mode 100644 debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch diff --git a/debian/changelog b/debian/changelog index 69875eb90..757bab808 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ linux (4.17.14-2) UNRELEASED; urgency=medium (except on armel) - bluetooth: Re-enable BT_HCIUART_{BCM,LL} (Closes: #906048) * drivers/net/phy: Enable SFP as module (Closes: #906054) + * Revert "net: increase fragment memory usage limits" (CVE-2018-5391) -- Ben Hutchings Tue, 14 Aug 2018 00:07:30 +0800 diff --git a/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch b/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch new file mode 100644 index 000000000..eaa7d9f22 --- /dev/null +++ b/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch @@ -0,0 +1,58 @@ +From: Salvatore Bonaccorso +Date: Sat, 28 Jul 2018 16:48:31 +0200 +Subject: [PATCH] Revert "net: increase fragment memory usage limits" + +This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4. + +Revert commit as mitigation to FragmentSmack (CVE-2018-5391) +[bwh: Adjust context to apply to sid] +--- + include/net/ipv6.h | 4 ++-- + net/ipv4/ip_fragment.c | 22 +++++++--------------- + 2 files changed, 9 insertions(+), 17 deletions(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -379,8 +379,8 @@ static inline bool ipv6_accept_ra(struct + idev->cnf.accept_ra; + } + +-#define IPV6_FRAG_HIGH_THRESH (4 * 1024*1024) /* 4194304 */ +-#define IPV6_FRAG_LOW_THRESH (3 * 1024*1024) /* 3145728 */ ++#define IPV6_FRAG_HIGH_THRESH (256 * 1024) /* 262144 */ ++#define IPV6_FRAG_LOW_THRESH (192 * 1024) /* 196608 */ + #define IPV6_FRAG_TIMEOUT (60 * HZ) /* 60 seconds */ + + int __ipv6_addr_type(const struct in6_addr *addr); +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -788,22 +788,14 @@ static int __net_init ipv4_frags_init_ne + { + int res; + +- /* Fragment cache limits. +- * +- * The fragment memory accounting code, (tries to) account for +- * the real memory usage, by measuring both the size of frag +- * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue)) +- * and the SKB's truesize. +- * +- * A 64K fragment consumes 129736 bytes (44*2944)+200 +- * (1500 truesize == 2944, sizeof(struct ipq) == 200) +- * +- * We will commit 4MB at one time. Should we cross that limit +- * we will prune down to 3MB, making room for approx 8 big 64K +- * fragments 8x128k. ++ /* ++ * Fragment cache limits. We will commit 256K at one time. Should we ++ * cross that limit we will prune down to 192K. This should cope with ++ * even the most extreme cases without allowing an attacker to ++ * measurably harm machine performance. + */ +- net->ipv4.frags.high_thresh = 4 * 1024 * 1024; +- net->ipv4.frags.low_thresh = 3 * 1024 * 1024; ++ net->ipv4.frags.high_thresh = 256 * 1024; ++ net->ipv4.frags.low_thresh = 192 * 1024; + /* + * Important NOTE! Fragment queue must be destroyed before MSL expires. + * RFC791 is wrong proposing to prolongate timer each fragment arrival diff --git a/debian/patches/series b/debian/patches/series index 84382ce8c..ad6f90eea 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -138,6 +138,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch