[kernel] r22114 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Sat Dec 6 23:53:31 UTC 2014
Author: benh
Date: Sat Dec 6 23:53:31 2014
New Revision: 22114
Log:
ip: Fix backport of "ip: make IP identifiers less predictable"
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Sat Dec 6 23:44:20 2014 (r22113)
+++ dists/wheezy-security/linux/debian/changelog Sat Dec 6 23:53:31 2014 (r22114)
@@ -3,6 +3,8 @@
* Revert "drivers/net: Disable UFO through virtio" in macvtap and tun.
This removes the need to shut down VMs if migrating to a patched
host.
+ * ip: Fix backport of "ip: make IP identifiers less predictable"
+ (regression in 3.2.63) (thanks to Jeffrey Knockel)
-- Ben Hutchings <ben at decadent.org.uk> Sat, 06 Dec 2014 23:32:07 +0000
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch Sat Dec 6 23:53:31 2014 (r22114)
@@ -0,0 +1,34 @@
+From: Jeffrey Knockel <jeffk at cs.unm.edu>
+Date: Wed, 12 Nov 2014 07:47:20 -0700
+Subject: Patch for 3.2.x, 3.4.x IP identifier regression
+Origin: http://mid.gmane.org/546372F8.50503@cs.unm.edu
+
+With commits 73f156a6e8c1 ("inetpeer: get rid of ip_id_count") and
+04ca6973f7c1 ("ip: make IP identifiers less predictable"), IP
+identifiers are generated from a counter chosen from an array of
+counters indexed by the hash of the outgoing packet header's source
+address, destination address, and protocol number. Thus, in
+__ip_make_skb(), we must now call ip_select_ident() only after setting
+these fields in the IP header to prevent IP identifiers from being
+generated from bogus counters.
+
+IP id sequence before fix: 18174, 5789, 5953, 59420, 59637, ...
+After fix: 5967, 6185, 6374, 6600, 6795, 6892, 7051, 7288, ...
+
+Signed-off-by: Jeffrey Knockel <jeffk at cs.unm.edu>
+---
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1333,11 +1333,11 @@ struct sk_buff *__ip_make_skb(struct soc
+ iph->ihl = 5;
+ iph->tos = inet->tos;
+ iph->frag_off = df;
+- ip_select_ident(skb, sk);
+ iph->ttl = ttl;
+ iph->protocol = sk->sk_protocol;
+ iph->saddr = fl4->saddr;
+ iph->daddr = fl4->daddr;
++ ip_select_ident(skb, sk);
+
+ if (opt) {
+ iph->ihl += opt->optlen>>2;
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Sat Dec 6 23:44:20 2014 (r22113)
+++ dists/wheezy-security/linux/debian/patches/series Sat Dec 6 23:53:31 2014 (r22114)
@@ -1155,3 +1155,4 @@
bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
bugfix/x86/x86-kvm-vmx-Preserve-CR4-across-VM-entry.patch
bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch
+bugfix/all/ip-fix-backport-of-ip-make-ip-identifiers-less-predictable.patch
More information about the Kernel-svn-changes
mailing list