[kernel/f18] CVE-2013-4163 net: panic while appending data to a corked IPv6 socket in ip6_append_data_mtu (rhbz 9
Josh Boyer
jwboyer at fedoraproject.org
Wed Jul 24 12:28:19 UTC 2013
commit a4d36187f54300b7b9d3f9eb7b637b4503d95dd2
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed Jul 24 08:23:36 2013 -0400
CVE-2013-4163 net: panic while appending data to a corked IPv6 socket in ip6_append_data_mtu (rhbz 987633 987639)
...did-not-care-about-pmtudisc-and_frag_size.patch | 137 ++++++++++++++++++++
kernel.spec | 9 ++
2 files changed, 146 insertions(+), 0 deletions(-)
---
diff --git a/ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and_frag_size.patch b/ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and_frag_size.patch
new file mode 100644
index 0000000..97c3b19
--- /dev/null
+++ b/ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and_frag_size.patch
@@ -0,0 +1,137 @@
+From 1fcbda94eb3ababc95eff46548962ceb14de638e Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Date: Tue, 2 Jul 2013 08:04:05 +0200
+Subject: [PATCH 12/40] ipv6: ip6_append_data_mtu did not care about pmtudisc
+ and frag_size
+
+[ Upstream commit 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ]
+
+If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
+of this when appending the second frame on a corked socket. This results
+in the following splat:
+
+[37598.993962] ------------[ cut here ]------------
+[37598.994008] kernel BUG at net/core/skbuff.c:2064!
+[37598.994008] invalid opcode: 0000 [#1] SMP
+[37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
++nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
++scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
+[37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
++dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
+[37598.994008] CPU 0
+[37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
+[37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+[37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
+[37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
+[37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
+[37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
+[37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
+[37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
+[37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
+[37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
+[37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
+[37598.994008] Stack:
+[37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
+[37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
+[37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
+[37598.994008] Call Trace:
+[37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
+[37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
+[37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
+[37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
+[37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
+[37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
+[37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
+[37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
+[37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
+[37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
+[37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
+[37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
+[37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
+[37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
+[37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
+[37598.994008] RSP <ffff88003670da18>
+[37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
+
+While there, also check if path mtu discovery is activated for this
+socket. The logic was adapted from ip6_append_data when first writing
+on the corked socket.
+
+This bug was introduced with commit
+0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
+fragment").
+
+v2:
+a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
+b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
+ feng, thanks!).
+c) Change mtu to unsigned int, else we get a warning about
+ non-matching types because of the min()-macro type-check.
+
+Acked-by: Gao feng <gaofeng at cn.fujitsu.com>
+Cc: YOSHIFUJI Hideaki <yoshfuji at linux-ipv6.org>
+Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/ip6_output.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index d5d20cd..6e3ddf8 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1098,11 +1098,12 @@ static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src,
+ return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
+ }
+
+-static void ip6_append_data_mtu(int *mtu,
++static void ip6_append_data_mtu(unsigned int *mtu,
+ int *maxfraglen,
+ unsigned int fragheaderlen,
+ struct sk_buff *skb,
+- struct rt6_info *rt)
++ struct rt6_info *rt,
++ bool pmtuprobe)
+ {
+ if (!(rt->dst.flags & DST_XFRM_TUNNEL)) {
+ if (skb == NULL) {
+@@ -1114,7 +1115,9 @@ static void ip6_append_data_mtu(int *mtu,
+ * this fragment is not first, the headers
+ * space is regarded as data space.
+ */
+- *mtu = dst_mtu(rt->dst.path);
++ *mtu = min(*mtu, pmtuprobe ?
++ rt->dst.dev->mtu :
++ dst_mtu(rt->dst.path));
+ }
+ *maxfraglen = ((*mtu - fragheaderlen) & ~7)
+ + fragheaderlen - sizeof(struct frag_hdr);
+@@ -1131,11 +1134,10 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
+ struct ipv6_pinfo *np = inet6_sk(sk);
+ struct inet_cork *cork;
+ struct sk_buff *skb, *skb_prev = NULL;
+- unsigned int maxfraglen, fragheaderlen;
++ unsigned int maxfraglen, fragheaderlen, mtu;
+ int exthdrlen;
+ int dst_exthdrlen;
+ int hh_len;
+- int mtu;
+ int copy;
+ int err;
+ int offset = 0;
+@@ -1292,7 +1294,9 @@ alloc_new_skb:
+ /* update mtu and maxfraglen if necessary */
+ if (skb == NULL || skb_prev == NULL)
+ ip6_append_data_mtu(&mtu, &maxfraglen,
+- fragheaderlen, skb, rt);
++ fragheaderlen, skb, rt,
++ np->pmtudisc ==
++ IPV6_PMTUDISC_PROBE);
+
+ skb_prev = skb;
+
+--
+1.7.11.7
diff --git a/kernel.spec b/kernel.spec
index 9b935f5..6640df6 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -806,6 +806,9 @@ Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
#rhbz 986538
Patch25065: iwlwifi-add-new-pci-id-for-6x35-series.patch
+#CVE-2013-4163 rhbz 987633 987639
+Patch25067: ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and_frag_size.patch
+
Patch26000: cve-2013-4125.patch
# END OF PATCH DEFINITIONS
@@ -1554,6 +1557,9 @@ ApplyPatch cve-2013-4125.patch
#rhbz 986538
ApplyPatch iwlwifi-add-new-pci-id-for-6x35-series.patch
+#CVE-2013-4163 rhbz 987633 987639
+ApplyPatch ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc-and_frag_size.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2399,6 +2405,9 @@ fi
# ||----w |
# || ||
%changelog
+* Wed Jul 24 2013 Josh Boyer <jwboyer at redhat.com>
+- CVE-2013-4163 net: panic while appending data to a corked IPv6 socket in ip6_append_data_mtu (rhbz 987633 987639)
+
* Mon Jul 22 2013 Josh Boyer <jwboyer at redhat.com> - 3.9.11-200
- Fix timer issue in bridge code (rhbz 980254)
- Add patch for iwlwifi 6x35 devices (rhbz 986538)
More information about the scm-commits
mailing list