[linux] 03/03: udp: consistently apply ufo or fragmentation (CVE-2017-1000112)

Thu Aug 17 23:59:40 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch stretch-security
in repository linux.

commit 91c6faae138e7f2c45bc4a89d57fd3b72abf55f2
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Aug 17 23:24:55 2017 +0100

    udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
    
    Plus another patch it depends on.
---
 debian/changelog                                   |  3 +
 ...-use-consistent-conditional-judgement-for.patch | 38 ++++++++++
 ...p-consistently-apply-ufo-or-fragmentation.patch | 85 ++++++++++++++++++++++
 debian/patches/series                              |  2 +
 4 files changed, 128 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 8a73185..df874ed 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,9 @@ linux (4.9.30-2+deb9u4) UNRELEASED; urgency=medium
     (CVE-2017-1000380)
   * xfrm: policy: check policy direction value (CVE-2017-11600)
   * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111)
+  * ipv6: Should use consistent conditional judgement for ip6 fragment
+    between __ip6_append_data and ip6_finish_output
+  * udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 06 Aug 2017 15:21:20 +0100
 
diff --git a/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch b/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
new file mode 100644
index 0000000..aa82497
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
@@ -0,0 +1,38 @@
+From: Zheng Li <james.z.li at ericsson.com>
+Date: Wed, 28 Dec 2016 23:23:46 +0800
+Subject: ipv6: Should use consistent conditional judgement for ip6 fragment
+ between __ip6_append_data and ip6_finish_output
+Origin: https://git.kernel.org/linus/e4c5e13aa45c23692e4acf56f0b3533f328199b2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000112
+
+There is an inconsistent conditional judgement between __ip6_append_data
+and ip6_finish_output functions, the variable length in __ip6_append_data
+just include the length of application's payload and udp6 header, don't
+include the length of ipv6 header, but in ip6_finish_output use
+(skb->len > ip6_skb_dst_mtu(skb)) as judgement, and skb->len include the
+length of ipv6 header.
+
+That causes some particular application's udp6 payloads whose length are
+between (MTU - IPv6 Header) and MTU were fragmented by ip6_fragment even
+though the rst->dev support UFO feature.
+
+Add the length of ipv6 header to length in __ip6_append_data to keep
+consistent conditional judgement as ip6_finish_output for ip6 fragment.
+
+Signed-off-by: Zheng Li <james.z.li at ericsson.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/ip6_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1371,7 +1371,7 @@ emsgsize:
+ 	 */
+ 
+ 	cork->length += length;
+-	if (((length > mtu) ||
++	if ((((length + fragheaderlen) > mtu) ||
+ 	     (skb && skb_is_gso(skb))) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
diff --git a/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch b/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
new file mode 100644
index 0000000..510d306
--- /dev/null
+++ b/debian/patches/bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
@@ -0,0 +1,85 @@
+From: Willem de Bruijn <willemb at google.com>
+Date: Thu, 10 Aug 2017 12:29:19 -0400
+Subject: udp: consistently apply ufo or fragmentation
+Origin: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000112
+
+When iteratively building a UDP datagram with MSG_MORE and that
+datagram exceeds MTU, consistently choose UFO or fragmentation.
+
+Once skb_is_gso, always apply ufo. Conversely, once a datagram is
+split across multiple skbs, do not consider ufo.
+
+Sendpage already maintains the first invariant, only add the second.
+IPv6 does not have a sendpage implementation to modify.
+
+A gso skb must have a partial checksum, do not follow sk_no_check_tx
+in udp_send_skb.
+
+Found by syzkaller.
+
+Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/ipv4/ip_output.c  |    7 +++++--
+ net/ipv4/udp.c        |    2 +-
+ net/ipv6/ip6_output.c |    7 ++++---
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -936,10 +936,12 @@ static int __ip_append_data(struct sock
+ 		csummode = CHECKSUM_PARTIAL;
+ 
+ 	cork->length += length;
+-	if (((length > mtu) || (skb && skb_is_gso(skb))) &&
++	if ((skb && skb_is_gso(skb)) ||
++	    ((length > mtu) &&
++	    (skb_queue_len(queue) <= 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
+-	    (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx) {
++	    (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx)) {
+ 		err = ip_ufo_append_data(sk, queue, getfrag, from, length,
+ 					 hh_len, fragheaderlen, transhdrlen,
+ 					 maxfraglen, flags);
+@@ -1255,6 +1257,7 @@ ssize_t	ip_append_page(struct sock *sk,
+ 		return -EINVAL;
+ 
+ 	if ((size + skb->len > mtu) &&
++	    (skb_queue_len(&sk->sk_write_queue) == 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO)) {
+ 		if (skb->ip_summed != CHECKSUM_PARTIAL)
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -813,7 +813,7 @@ static int udp_send_skb(struct sk_buff *
+ 	if (is_udplite)  				 /*     UDP-Lite      */
+ 		csum = udplite_csum(skb);
+ 
+-	else if (sk->sk_no_check_tx) {   /* UDP csum disabled */
++	else if (sk->sk_no_check_tx && !skb_is_gso(skb)) {   /* UDP csum off */
+ 
+ 		skb->ip_summed = CHECKSUM_NONE;
+ 		goto send;
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1371,11 +1371,12 @@ emsgsize:
+ 	 */
+ 
+ 	cork->length += length;
+-	if ((((length + fragheaderlen) > mtu) ||
+-	     (skb && skb_is_gso(skb))) &&
++	if ((skb && skb_is_gso(skb)) ||
++	    (((length + fragheaderlen) > mtu) &&
++	    (skb_queue_len(queue) <= 1) &&
+ 	    (sk->sk_protocol == IPPROTO_UDP) &&
+ 	    (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len &&
+-	    (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
++	    (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk))) {
+ 		err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
+ 					  hh_len, fragheaderlen, exthdrlen,
+ 					  transhdrlen, mtu, flags, fl6);
diff --git a/debian/patches/series b/debian/patches/series
index 0bea238..542c385 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -138,6 +138,8 @@ bugfix/all/alsa-timer-fix-race-between-read-and-ioctl.patch
 bugfix/all/alsa-timer-fix-missing-queue-indices-reset-at.patch
 bugfix/all/xfrm-policy-check-policy-direction-value.patch
 bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
+bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
+bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

