[v2.5] linux kernel CVE-2013-4387 memory corruption with ipv6 udp offloading
reference:
http://www.openwall.com/lists/oss-security/2013/09/28/1
"
| [PATCH] ipv6: udp packets following an UFO enqueued packet need also
be handled by UFO
|
| In the following scenario the socket is corked:
| If the first UDP packet is larger then the mtu we try to append it to
the
| write queue via ip6_ufo_append_data. A following packet, which is
smaller
| than the mtu would be appended to the already queued up gso-skb via
| plain ip6_append_data. This causes random memory corruptions.
|
| In ip6_ufo_append_data we also have to be careful to not queue up
the
| same skb multiple times. So setup the gso frame only when no first
skb
| is available.
|
| This also fixes a shortcoming where we add the current packet’s length
to
| cork->length but return early because of a packet >mtu with
dontfrag set
| (instead of sutracting it again).
|
| Found with trinity.
While writing a reproducer to test this patch, I have seen silent
memory
corruption (which later manifests as e.g. a panic or hangs on
shutdown)
and oopses.
It has been reported to netdev by Dmitry Vyukov <dvyukov@google.com> and was found with the AddressSanitizer for the kernel[1] and trinity.
The patch is queued up for stable:
http://patchwork.ozlabs.org/patch/276835/
and is already committed to linux-net:
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=2811ebac2521ceac84f2bdae402455baa6a7fb47
I guess the erroneous behaviour was introduced here:
| git describe —contains e89e9cf539a28df7d0eb1d0a545368e9920b34ac
| v2.6.15-rc1731^231
"
(from redmine: issue id 2308, created on 2013-11-12, closed on 2013-11-15)
- Relations:
- parent #2264 (closed)
- Changesets:
- Revision e3c327d0 by Natanael Copa on 2013-11-13T11:57:00Z:
main/linux-grsec: security fixes (CVE-2013-2015,CVE-2013-4348,CVE-2013-4350,CVE-2013-4387,CVE-2013-4470)
fixes #2334
fixes #2328
fixes #2326
fixes #2318
fixes #2308