[kernel] r17454 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed May 18 14:04:29 UTC 2011
Author: dannf
Date: Wed May 18 14:04:26 2011
New Revision: 17454
Log:
net: ip_expire() must revalidate route (CVE-2011-1927)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/net-ip_expire-must-revalidate-route.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/6
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Wed May 18 06:15:12 2011 (r17453)
+++ dists/sid/linux-2.6/debian/changelog Wed May 18 14:04:26 2011 (r17454)
@@ -3,6 +3,9 @@
[ Ben Hutchings ]
* bridge: Fix forwarding of IPv6 (regression in 2.6.38.4; closes: #625914)
+ [ dann frazier ]
+ * net: ip_expire() must revalidate route (CVE-2011-1927)
+
-- Ben Hutchings <ben at decadent.org.uk> Sun, 15 May 2011 15:03:21 +0100
linux-2.6 (2.6.38-5) unstable; urgency=medium
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-ip_expire-must-revalidate-route.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-ip_expire-must-revalidate-route.patch Wed May 18 14:04:26 2011 (r17454)
@@ -0,0 +1,75 @@
+commit 64f3b9e203bd06855072e295557dca1485a2ecba
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Wed May 4 10:02:26 2011 +0000
+
+ net: ip_expire() must revalidate route
+
+ Commit 4a94445c9a5c (net: Use ip_route_input_noref() in input path)
+ added a bug in IP defragmentation handling, in case timeout is fired.
+
+ When a frame is defragmented, we use last skb dst field when building
+ final skb. Its dst is valid, since we are in rcu read section.
+
+ But if a timeout occurs, we take first queued fragment to build one ICMP
+ TIME EXCEEDED message. Problem is all queued skb have weak dst pointers,
+ since we escaped RCU critical section after their queueing. icmp_send()
+ might dereference a now freed (and possibly reused) part of memory.
+
+ Calling skb_dst_drop() and ip_route_input_noref() to revalidate route is
+ the only possible choice.
+
+ Reported-by: Denys Fedoryshchenko <denys at visp.net.lb>
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index a1151b8..b1d282f 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -223,31 +223,30 @@ static void ip_expire(unsigned long arg)
+
+ if ((qp->q.last_in & INET_FRAG_FIRST_IN) && qp->q.fragments != NULL) {
+ struct sk_buff *head = qp->q.fragments;
++ const struct iphdr *iph;
++ int err;
+
+ rcu_read_lock();
+ head->dev = dev_get_by_index_rcu(net, qp->iif);
+ if (!head->dev)
+ goto out_rcu_unlock;
+
++ /* skb dst is stale, drop it, and perform route lookup again */
++ skb_dst_drop(head);
++ iph = ip_hdr(head);
++ err = ip_route_input_noref(head, iph->daddr, iph->saddr,
++ iph->tos, head->dev);
++ if (err)
++ goto out_rcu_unlock;
++
+ /*
+- * Only search router table for the head fragment,
+- * when defraging timeout at PRE_ROUTING HOOK.
++ * Only an end host needs to send an ICMP
++ * "Fragment Reassembly Timeout" message, per RFC792.
+ */
+- if (qp->user == IP_DEFRAG_CONNTRACK_IN && !skb_dst(head)) {
+- const struct iphdr *iph = ip_hdr(head);
+- int err = ip_route_input(head, iph->daddr, iph->saddr,
+- iph->tos, head->dev);
+- if (unlikely(err))
+- goto out_rcu_unlock;
+-
+- /*
+- * Only an end host needs to send an ICMP
+- * "Fragment Reassembly Timeout" message, per RFC792.
+- */
+- if (skb_rtable(head)->rt_type != RTN_LOCAL)
+- goto out_rcu_unlock;
++ if (qp->user == IP_DEFRAG_CONNTRACK_IN &&
++ skb_rtable(head)->rt_type != RTN_LOCAL)
++ goto out_rcu_unlock;
+
+- }
+
+ /* Send an ICMP "Fragment Reassembly Timeout" message. */
+ icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
Modified: dists/sid/linux-2.6/debian/patches/series/6
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/6 Wed May 18 06:15:12 2011 (r17453)
+++ dists/sid/linux-2.6/debian/patches/series/6 Wed May 18 14:04:26 2011 (r17454)
@@ -1 +1,2 @@
+ bugfix/all/bridge-fix-forwarding-of-IPv6.patch
++ bugfix/all/net-ip_expire-must-revalidate-route.patch
More information about the Kernel-svn-changes
mailing list