[kernel] r17454 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Wed May 18 14:04:29 UTC 2011

Author: dannf
Date: Wed May 18 14:04:26 2011
New Revision: 17454

Log:
net: ip_expire() must revalidate route (CVE-2011-1927)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/net-ip_expire-must-revalidate-route.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/6

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================

--- dists/sid/linux-2.6/debian/changelog	Wed May 18 06:15:12 2011	(r17453)
+++ dists/sid/linux-2.6/debian/changelog	Wed May 18 14:04:26 2011	(r17454)
@@ -3,6 +3,9 @@
   [ Ben Hutchings ]
   * bridge: Fix forwarding of IPv6 (regression in 2.6.38.4; closes: #625914)
 
+  [ dann frazier ]
+  * net: ip_expire() must revalidate route (CVE-2011-1927)
+
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 15 May 2011 15:03:21 +0100
 
 linux-2.6 (2.6.38-5) unstable; urgency=medium

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-ip_expire-must-revalidate-route.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-ip_expire-must-revalidate-route.patch	Wed May 18 14:04:26 2011	(r17454)
@@ -0,0 +1,75 @@
+commit 64f3b9e203bd06855072e295557dca1485a2ecba
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date:   Wed May 4 10:02:26 2011 +0000
+
+    net: ip_expire() must revalidate route
+    
+    Commit 4a94445c9a5c (net: Use ip_route_input_noref() in input path)
+    added a bug in IP defragmentation handling, in case timeout is fired.
+    
+    When a frame is defragmented, we use last skb dst field when building
+    final skb. Its dst is valid, since we are in rcu read section.
+    
+    But if a timeout occurs, we take first queued fragment to build one ICMP
+    TIME EXCEEDED message. Problem is all queued skb have weak dst pointers,
+    since we escaped RCU critical section after their queueing. icmp_send()
+    might dereference a now freed (and possibly reused) part of memory.
+    
+    Calling skb_dst_drop() and ip_route_input_noref() to revalidate route is
+    the only possible choice.
+    
+    Reported-by: Denys Fedoryshchenko <denys at visp.net.lb>
+    Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
+index a1151b8..b1d282f 100644
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -223,31 +223,30 @@ static void ip_expire(unsigned long arg)
+ 
+ 	if ((qp->q.last_in & INET_FRAG_FIRST_IN) && qp->q.fragments != NULL) {
+ 		struct sk_buff *head = qp->q.fragments;
++		const struct iphdr *iph;
++		int err;
+ 
+ 		rcu_read_lock();
+ 		head->dev = dev_get_by_index_rcu(net, qp->iif);
+ 		if (!head->dev)
+ 			goto out_rcu_unlock;
+ 
++		/* skb dst is stale, drop it, and perform route lookup again */
++		skb_dst_drop(head);
++		iph = ip_hdr(head);
++		err = ip_route_input_noref(head, iph->daddr, iph->saddr,
++					   iph->tos, head->dev);
++		if (err)
++			goto out_rcu_unlock;
++
+ 		/*
+-		 * Only search router table for the head fragment,
+-		 * when defraging timeout at PRE_ROUTING HOOK.
++		 * Only an end host needs to send an ICMP
++		 * "Fragment Reassembly Timeout" message, per RFC792.
+ 		 */
+-		if (qp->user == IP_DEFRAG_CONNTRACK_IN && !skb_dst(head)) {
+-			const struct iphdr *iph = ip_hdr(head);
+-			int err = ip_route_input(head, iph->daddr, iph->saddr,
+-						 iph->tos, head->dev);
+-			if (unlikely(err))
+-				goto out_rcu_unlock;
+-
+-			/*
+-			 * Only an end host needs to send an ICMP
+-			 * "Fragment Reassembly Timeout" message, per RFC792.
+-			 */
+-			if (skb_rtable(head)->rt_type != RTN_LOCAL)
+-				goto out_rcu_unlock;
++		if (qp->user == IP_DEFRAG_CONNTRACK_IN &&
++		    skb_rtable(head)->rt_type != RTN_LOCAL)
++			goto out_rcu_unlock;
+ 
+-		}
+ 
+ 		/* Send an ICMP "Fragment Reassembly Timeout" message. */
+ 		icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);

Modified: dists/sid/linux-2.6/debian/patches/series/6
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/6	Wed May 18 06:15:12 2011	(r17453)
+++ dists/sid/linux-2.6/debian/patches/series/6	Wed May 18 14:04:26 2011	(r17454)
@@ -1 +1,2 @@
 + bugfix/all/bridge-fix-forwarding-of-IPv6.patch
++ bugfix/all/net-ip_expire-must-revalidate-route.patch

