[linux] 01/01: netfilter: ipv6: nf_defrag: drop mangled skb on ream error (CVE-2016-9755)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Dec 14 16:14:46 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit 966cf13de01f2de68f5e118a55e2b68c13e6401a
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Wed Dec 14 17:11:29 2016 +0100

    netfilter: ipv6: nf_defrag: drop mangled skb on ream error (CVE-2016-9755)
---
 debian/changelog                                   |  1 +
 ...pv6-nf_defrag-drop-mangled-skb-on-ream-er.patch | 69 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 71 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 94911b0..73d4eaa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -131,6 +131,7 @@ linux (4.8.14-1) UNRELEASED; urgency=medium
   * net: handle no dst on skb in icmp6_send (CVE-2016-9919)
   * [rt] Update to 4.8.11-rt7
   * [rt] Update to 4.8.14-rt9
+  * netfilter: ipv6: nf_defrag: drop mangled skb on ream error (CVE-2016-9755)
 
   [ Ben Hutchings ]
   * [amd64] Re-enable LEGACY_VSYSCALL_EMULATE instead of LEGACY_VSYSCALL_NONE.
diff --git a/debian/patches/bugfix/all/netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch b/debian/patches/bugfix/all/netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
new file mode 100644
index 0000000..9320f09
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
@@ -0,0 +1,69 @@
+From: Florian Westphal <fw at strlen.de>
+Date: Tue, 29 Nov 2016 02:17:34 +0100
+Subject: netfilter: ipv6: nf_defrag: drop mangled skb on ream error
+Origin: https://git.kernel.org/linus/9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa
+
+Dmitry Vyukov reported GPF in network stack that Andrey traced down to
+negative nh offset in nf_ct_frag6_queue().
+
+Problem is that all network headers before fragment header are pulled.
+Normal ipv6 reassembly will drop the skb when errors occur further down
+the line.
+
+netfilter doesn't do this, and instead passed the original fragment
+along.  That was also fine back when netfilter ipv6 defrag worked with
+cloned fragments, as the original, pristine fragment was passed on.
+
+So we either have to undo the pull op, or discard such fragments.
+Since they're malformed after all (e.g. overlapping fragment) it seems
+preferrable to just drop them.
+
+Same for temporary errors -- it doesn't make sense to accept (and
+perhaps forward!) only some fragments of same datagram.
+
+Fixes: 029f7f3b8701cc7ac ("netfilter: ipv6: nf_defrag: avoid/free clone operations")
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Debugged-by: Andrey Konovalov <andreyknvl at google.com>
+Diagnosed-by: Eric Dumazet <Eric Dumazet <edumazet at google.com>
+Signed-off-by: Florian Westphal <fw at strlen.de>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c   | 4 ++--
+ net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
+index e4347ae..9948b5c 100644
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -576,11 +576,11 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
+ 	/* Jumbo payload inhibits frag. header */
+ 	if (ipv6_hdr(skb)->payload_len == 0) {
+ 		pr_debug("payload len = 0\n");
+-		return -EINVAL;
++		return 0;
+ 	}
+ 
+ 	if (find_prev_fhdr(skb, &prevhdr, &nhoff, &fhoff) < 0)
+-		return -EINVAL;
++		return 0;
+ 
+ 	if (!pskb_may_pull(skb, fhoff + sizeof(*fhdr)))
+ 		return -ENOMEM;
+diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+index f7aab5a..f06b047 100644
+--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
++++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+@@ -69,7 +69,7 @@ static unsigned int ipv6_defrag(void *priv,
+ 	if (err == -EINPROGRESS)
+ 		return NF_STOLEN;
+ 
+-	return NF_ACCEPT;
++	return err == 0 ? NF_ACCEPT : NF_DROP;
+ }
+ 
+ static struct nf_hook_ops ipv6_defrag_ops[] = {
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 7e72c86..cc32ebc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -103,6 +103,7 @@ bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch
 bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch
 bugfix/all/mnt-Add-a-per-mount-namespace-limit-on-the-number-of.patch
 bugfix/all/net-handle-no-dst-on-skb-in-icmp6_send.patch
+bugfix/all/netfilter-ipv6-nf_defrag-drop-mangled-skb-on-ream-er.patch
 
 # ABI maintenance
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list