[kernel/f14] CVE-2011-4326: wrong headroom check in udp6_ufo_fragment() (rhbz 755590)
Josh Boyer
jwboyer at fedoraproject.org
Mon Nov 21 16:34:40 UTC 2011
commit 445b543dc999c4ac5124bf356e461e9901ce425a
Author: Josh Boyer <jwboyer at redhat.com>
Date: Mon Nov 21 11:34:20 2011 -0500
CVE-2011-4326: wrong headroom check in udp6_ufo_fragment() (rhbz 755590)
ipv6-udp-fix-the-wrong-headroom-check.patch | 38 +++++++++++++++++++++++++++
kernel.spec | 13 ++++++++-
2 files changed, 49 insertions(+), 2 deletions(-)
---
diff --git a/ipv6-udp-fix-the-wrong-headroom-check.patch b/ipv6-udp-fix-the-wrong-headroom-check.patch
new file mode 100644
index 0000000..87b15e9
--- /dev/null
+++ b/ipv6-udp-fix-the-wrong-headroom-check.patch
@@ -0,0 +1,38 @@
+From 33710d0cfda2e00144acf7b6c58bb86ea4fcbbac Mon Sep 17 00:00:00 2001
+From: Shan Wei <shanwei at cn.fujitsu.com>
+Date: Tue, 19 Apr 2011 22:52:49 +0000
+Subject: [PATCH] ipv6: udp: fix the wrong headroom check
+
+At this point, skb->data points to skb_transport_header.
+So, headroom check is wrong.
+
+For some case:bridge(UFO is on) + eth device(UFO is off),
+there is no enough headroom for IPv6 frag head.
+But headroom check is always false.
+
+This will bring about data be moved to there prior to skb->head,
+when adding IPv6 frag header to skb.
+
+Signed-off-by: Shan Wei <shanwei at cn.fujitsu.com>
+Acked-by: Herbert Xu <herbert at gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/udp.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 8a72f58..4aaae95 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1339,7 +1339,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, int features)
+ skb->ip_summed = CHECKSUM_NONE;
+
+ /* Check if there is enough headroom to insert fragment header. */
+- if ((skb_headroom(skb) < frag_hdr_sz) &&
++ if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
+ pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
+ goto out;
+
+--
+1.7.7.1
+
diff --git a/kernel.spec b/kernel.spec
index 0395b5c..68f4a6b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -48,7 +48,7 @@ Summary: The Linux kernel
# reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
# scripts/rebase.sh should be made to do that for you, actually.
#
-%global baserelease 104
+%global baserelease 105
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -916,6 +916,9 @@ Patch21050: xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch
#rhbz 749484
Patch21060: crypto-ghash-Avoid-null-pointer-dereference-if-no-ke.patch
+#rhbz 755590
+Patch21061: ipv6-udp-fix-the-wrong-headroom-check.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1732,6 +1735,9 @@ ApplyPatch epoll-limit-paths.patch
#rhbz 749484
ApplyPatch crypto-ghash-Avoid-null-pointer-dereference-if-no-ke.patch
+#rhbz 755590
+ApplyPatch ipv6-udp-fix-the-wrong-headroom-check.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2318,7 +2324,10 @@ fi
# and build.
%changelog
-* Mon Nov 14 2011 Josh Boyer <jwboyer at redhat.com> 2.6.41.1-2
+* Mon Nov 21 2011 Josh Boyer <jwboyer at redhat.com> 2.6.35.14-105
+- CVE-2011-4326: wrong headroom check in udp6_ufo_fragment() (rhbz 755590)
+
+* Mon Nov 14 2011 Josh Boyer <jwboyer at redhat.com>
- CVE-2011-4132: jbd/jbd2: invalid value of first log block leads to oops (rhbz 753346)
* Tue Nov 01 2011 Dave Jones <davej at redhat.com>
More information about the scm-commits
mailing list