[kernel] r19785 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat Feb 2 01:19:30 UTC 2013 

Author: dannf
Date: Sat Feb  2 01:19:29 2013
New Revision: 19785

Log:
ipv6: discard overlapping fragment (CVE-2012-4444)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv6-discard-overlapping-fragment.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Mon Jan 28 05:21:38 2013	(r19784)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sat Feb  2 01:19:29 2013	(r19785)
@@ -8,6 +8,7 @@
   * ext4: Fix max file size and logical block counting of extent format file
     (CVE-2011-2695)
   * net: sk_add_backlog() take rmem_alloc into account (CVE-2010-4805)
+  * ipv6: discard overlapping fragment (CVE-2012-4444)
 
  -- dann frazier <dannf at debian.org>  Mon, 22 Oct 2012 20:34:13 -0500
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv6-discard-overlapping-fragment.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ipv6-discard-overlapping-fragment.patch	Sat Feb  2 01:19:29 2013	(r19785)
@@ -0,0 +1,113 @@
+commit 70789d7052239992824628db8133de08dc78e593
+Author: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
+Date:   Fri Sep 3 05:13:05 2010 +0000
+
+    ipv6: discard overlapping fragment
+    
+    RFC5722 prohibits reassembling fragments when some data overlaps.
+    
+    Bug spotted by Zhang Zuotao <zuotao.zhang at 6wind.com>.
+    
+    Signed-off-by: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
+    Signed-off-by: David S. Miller <davem at davemloft.net>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
+index 545c414..64cfef1 100644
+--- a/net/ipv6/reassembly.c
++++ b/net/ipv6/reassembly.c
+@@ -149,13 +149,6 @@ int ip6_frag_match(struct inet_frag_queue *q, void *a)
+ }
+ EXPORT_SYMBOL(ip6_frag_match);
+ 
+-/* Memory Tracking Functions. */
+-static void frag_kfree_skb(struct netns_frags *nf, struct sk_buff *skb)
+-{
+-	atomic_sub(skb->truesize, &nf->mem);
+-	kfree_skb(skb);
+-}
+-
+ void ip6_frag_init(struct inet_frag_queue *q, void *a)
+ {
+ 	struct frag_queue *fq = container_of(q, struct frag_queue, q);
+@@ -346,58 +339,22 @@ static int ip6_frag_queue(struct frag_queue *fq, struct sk_buff *skb,
+ 	}
+ 
+ found:
+-	/* We found where to put this one.  Check for overlap with
+-	 * preceding fragment, and, if needed, align things so that
+-	 * any overlaps are eliminated.
++	/* RFC5722, Section 4:
++	 *                                  When reassembling an IPv6 datagram, if
++	 *   one or more its constituent fragments is determined to be an
++	 *   overlapping fragment, the entire datagram (and any constituent
++	 *   fragments, including those not yet received) MUST be silently
++	 *   discarded.
+ 	 */
+-	if (prev) {
+-		int i = (FRAG6_CB(prev)->offset + prev->len) - offset;
+ 
+-		if (i > 0) {
+-			offset += i;
+-			if (end <= offset)
+-				goto err;
+-			if (!pskb_pull(skb, i))
+-				goto err;
+-			if (skb->ip_summed != CHECKSUM_UNNECESSARY)
+-				skb->ip_summed = CHECKSUM_NONE;
+-		}
+-	}
++	/* Check for overlap with preceding fragment. */
++	if (prev &&
++	    (FRAG6_CB(prev)->offset + prev->len) - offset > 0)
++		goto discard_fq;
+ 
+-	/* Look for overlap with succeeding segments.
+-	 * If we can merge fragments, do it.
+-	 */
+-	while (next && FRAG6_CB(next)->offset < end) {
+-		int i = end - FRAG6_CB(next)->offset; /* overlap is 'i' bytes */
+-
+-		if (i < next->len) {
+-			/* Eat head of the next overlapped fragment
+-			 * and leave the loop. The next ones cannot overlap.
+-			 */
+-			if (!pskb_pull(next, i))
+-				goto err;
+-			FRAG6_CB(next)->offset += i;	/* next fragment */
+-			fq->q.meat -= i;
+-			if (next->ip_summed != CHECKSUM_UNNECESSARY)
+-				next->ip_summed = CHECKSUM_NONE;
+-			break;
+-		} else {
+-			struct sk_buff *free_it = next;
+-
+-			/* Old fragment is completely overridden with
+-			 * new one drop it.
+-			 */
+-			next = next->next;
+-
+-			if (prev)
+-				prev->next = next;
+-			else
+-				fq->q.fragments = next;
+-
+-			fq->q.meat -= free_it->len;
+-			frag_kfree_skb(fq->q.net, free_it);
+-		}
+-	}
++	/* Look for overlap with succeeding segment. */
++	if (next && FRAG6_CB(next)->offset < end)
++		goto discard_fq;
+ 
+ 	FRAG6_CB(skb)->offset = offset;
+ 
+@@ -436,6 +393,8 @@ found:
+ 	write_unlock(&ip6_frags.lock);
+ 	return -1;
+ 
++discard_fq:
++	fq_kill(fq);
+ err:
+ 	IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
+ 		      IPSTATS_MIB_REASMFAILS);

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1	Mon Jan 28 05:21:38 2013	(r19784)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/47squeeze1	Sat Feb  2 01:19:29 2013	(r19785)
@@ -12,3 +12,4 @@
 - debian/net-Avoid-ABI-change-from-limit-for-socket-backlog.patch
 + bugfix/all/net-sk_add_backlog-take-remem_alloc-into-account.patch
 + debian/net-Avoid-ABI-change-from-limit-for-socket-backlog-2.patch
++ bugfix/all/ipv6-discard-overlapping-fragment.patch

More information about the Kernel-svn-changes mailing list