[kernel] r22114 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at moszumanska.debian.org
Sat Dec 6 23:53:31 UTC 2014 

Author: benh
Date: Sat Dec  6 23:53:31 2014
New Revision: 22114

Log:
ip: Fix backport of "ip: make IP identifiers less predictable"

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Sat Dec  6 23:44:20 2014	(r22113)
+++ dists/wheezy-security/linux/debian/changelog	Sat Dec  6 23:53:31 2014	(r22114)
@@ -3,6 +3,8 @@
   * Revert "drivers/net: Disable UFO through virtio" in macvtap and tun.
     This removes the need to shut down VMs if migrating to a patched
     host.
+  * ip: Fix backport of "ip: make IP identifiers less predictable"
+    (regression in 3.2.63) (thanks to Jeffrey Knockel)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 06 Dec 2014 23:32:07 +0000
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch	Sat Dec  6 23:53:31 2014	(r22114)
@@ -0,0 +1,34 @@
+From: Jeffrey Knockel <jeffk at cs.unm.edu>
+Date: Wed, 12 Nov 2014 07:47:20 -0700
+Subject: Patch for 3.2.x, 3.4.x IP identifier regression
+Origin: http://mid.gmane.org/546372F8.50503@cs.unm.edu
+
+With commits 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") and
+04ca6973f7c1 ("ip: make IP identifiers less predictable"), IP
+identifiers are generated from a counter chosen from an array of
+counters indexed by the hash of the outgoing packet header's source
+address, destination address, and protocol number.  Thus, in
+__ip_make_skb(), we must now call ip_select_ident() only after setting
+these fields in the IP header to prevent IP identifiers from being
+generated from bogus counters.
+
+IP id sequence before fix: 18174, 5789, 5953, 59420, 59637, ...
+After fix: 5967, 6185, 6374, 6600, 6795, 6892, 7051, 7288, ...
+
+Signed-off-by: Jeffrey Knockel <jeffk at cs.unm.edu>
+---
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1333,11 +1333,11 @@ struct sk_buff *__ip_make_skb(struct soc
+ 	iph->ihl = 5;
+ 	iph->tos = inet->tos;
+ 	iph->frag_off = df;
+-	ip_select_ident(skb, sk);
+ 	iph->ttl = ttl;
+ 	iph->protocol = sk->sk_protocol;
+ 	iph->saddr = fl4->saddr;
+ 	iph->daddr = fl4->daddr;
++	ip_select_ident(skb, sk);
+ 
+ 	if (opt) {
+ 		iph->ihl += opt->optlen>>2;

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Sat Dec  6 23:44:20 2014	(r22113)
+++ dists/wheezy-security/linux/debian/patches/series	Sat Dec  6 23:53:31 2014	(r22114)
@@ -1155,3 +1155,4 @@
 bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
 bugfix/x86/x86-kvm-vmx-Preserve-CR4-across-VM-entry.patch
 bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch
+bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch

More information about the Kernel-svn-changes mailing list