[linux] 04/04: udp: consistently apply ufo or fragmentation (CVE-2017-1000112)

Thu Aug 17 23:59:33 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit aa6bff85f2e69165333c88e3920dd5c88f590847
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Aug 17 23:36:19 2017 +0100

    udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
    
    Plus another patch it depends on.
---
 debian/changelog                                   |  3 +
 ...-use-consistent-conditional-judgement-for.patch | 38 ++++++++++
 ...p-consistently-apply-ufo-or-fragmentation.patch | 86 ++++++++++++++++++++++
 debian/patches/series                              |  2 +
 4 files changed, 129 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d17fbb2..c6ea638 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,9 @@ linux (3.16.43-2+deb8u4) UNRELEASED; urgency=medium
   * timerfd: Protect the might cancel mechanism proper (CVE-2017-10661)
   * xfrm: policy: check policy direction value (CVE-2017-11600)
   * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
+  * ipv6: Should use consistent conditional judgement for ip6 fragment
+    between __ip6_append_data and ip6_finish_output
+  * udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 06 Aug 2017 22:03:56 +0100
 
diff --git a/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch b/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
new file mode 100644
index 0000000..3b9969a
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
@@ -0,0 +1,38 @@
+From: Zheng Li <james.z.li at ericsson.com>
+Date: Wed, 28 Dec 2016 23:23:46 +0800
+Subject: ipv6: Should use consistent conditional judgement for ip6 fragment
+ between __ip6_append_data and ip6_finish_output
+Origin: https://git.kernel.org/linus/e4c5e13aa45c23692e4acf56f0b3533f328199b2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000112
+
+There is an inconsistent conditional judgement between __ip6_append_data
+and ip6_finish_output functions, the variable length in __ip6_append_data
+just include the length of application's payload and udp6 header, don't
+include the length of ipv6 header, but in ip6_finish_output use
+(skb->len > ip6_skb_dst_mtu(skb)) as judgement, and skb->len include the
+length of ipv6 header.
+
+That causes some particular application's udp6 payloads whose length are
+between (MTU - IPv6 Header) and MTU were fragmented by ip6_fragment even
+though the rst->dev support UFO feature.
+
+Add the length of ipv6 header to length in __ip6_append_data to keep
+consistent conditional judgement as ip6_finish_output for ip6 fragment.
+
+Signed-off-by: Zheng Li <james.z.li at ericsson.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/ip6_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1291,7 +1291,7 @@ emsgsize:
+ 
+ 	skb = skb_peek_tail(&sk->sk_write_queue);
+ 	cork->length += length;
+-	if (((length > mtu) ||
++	if ((((length + fragheaderlen) > mtu) ||
+ 	     (skb && skb_is_gso(skb))) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
diff --git a/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch b/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
new file mode 100644
index 0000000..f2f9094
--- /dev/null
+++ b/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
@@ -0,0 +1,86 @@
+From: Willem de Bruijn <willemb at google.com>
+Date: Thu, 10 Aug 2017 12:29:19 -0400
+Subject: udp: consistently apply ufo or fragmentation
+Origin: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000112
+
+When iteratively building a UDP datagram with MSG_MORE and that
+datagram exceeds MTU, consistently choose UFO or fragmentation.
+
+Once skb_is_gso, always apply ufo. Conversely, once a datagram is
+split across multiple skbs, do not consider ufo.
+
+Sendpage already maintains the first invariant, only add the second.
+IPv6 does not have a sendpage implementation to modify.
+
+A gso skb must have a partial checksum, do not follow sk_no_check_tx
+in udp_send_skb.
+
+Found by syzkaller.
+
+Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+[bwh: Backported to 3.16: adjust context]
+---
+ net/ipv4/ip_output.c  |    7 +++++--
+ net/ipv4/udp.c        |    2 +-
+ net/ipv6/ip6_output.c |    7 ++++---
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -885,10 +885,12 @@ static int __ip_append_data(struct sock
+ 		csummode = CHECKSUM_PARTIAL;
+ 
+ 	cork->length += length;
+-	if (((length > mtu) || (skb && skb_is_gso(skb))) &&
++	if ((skb && skb_is_gso(skb)) ||
++	    ((length > mtu) &&
++	    (skb_queue_len(queue) <= 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
+-	    (sk->sk_type == SOCK_DGRAM)) {
++	    (sk->sk_type == SOCK_DGRAM))) {
+ 		err = ip_ufo_append_data(sk, queue, getfrag, from, length,
+ 					 hh_len, fragheaderlen, transhdrlen,
+ 					 maxfraglen, flags);
+@@ -1203,6 +1205,7 @@ ssize_t	ip_append_page(struct sock *sk,
+ 
+ 	cork->length += size;
+ 	if ((size + skb->len > mtu) &&
++	    (skb_queue_len(&sk->sk_write_queue) == 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO)) {
+ 		skb_shinfo(skb)->gso_size = mtu - fragheaderlen;
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -824,7 +824,7 @@ static int udp_send_skb(struct sk_buff *
+ 	if (is_udplite)  				 /*     UDP-Lite      */
+ 		csum = udplite_csum(skb);
+ 
+-	else if (sk->sk_no_check_tx) {   /* UDP csum disabled */
++	else if (sk->sk_no_check_tx && !skb_is_gso(skb)) {   /* UDP csum off */
+ 
+ 		skb->ip_summed = CHECKSUM_NONE;
+ 		goto send;
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1291,11 +1291,12 @@ emsgsize:
+ 
+ 	skb = skb_peek_tail(&sk->sk_write_queue);
+ 	cork->length += length;
+-	if ((((length + fragheaderlen) > mtu) ||
+-	     (skb && skb_is_gso(skb))) &&
++	if ((skb && skb_is_gso(skb)) ||
++	    (((length + fragheaderlen) > mtu) &&
++	    (skb_queue_len(queue) <= 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
+-	    (sk->sk_type == SOCK_DGRAM)) {
++	    (sk->sk_type == SOCK_DGRAM))) {
+ 		err = ip6_ufo_append_data(sk, getfrag, from, length,
+ 					  hh_len, fragheaderlen, exthdrlen,
+ 					  transhdrlen, mtu, flags, rt);
diff --git a/debian/patches/series b/debian/patches/series
index 8343601..bed0a5b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -731,6 +731,8 @@ bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
 bugfix/all/timerfd-protect-the-might-cancel-mechanism-proper.patch
 bugfix/all/xfrm-policy-check-policy-direction-value.patch
 bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
+bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
+bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
 
 # Fix ABI changes
 debian/of-fix-abi-changes.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

