[kernel/stabilization] CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 10
Josh Boyer
jwboyer at fedoraproject.org
Thu Nov 14 19:39:52 UTC 2013
commit 017cb84224efec734d2310170763decdb45bd43c
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Thu Nov 14 14:32:25 2013 -0500
CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)
...headroom-calculation-in-udp6_ufo_fragment.patch | 40 ++++++++++++++++++++
kernel.spec | 9 ++++
2 files changed, 49 insertions(+), 0 deletions(-)
---
diff --git a/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch b/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
new file mode 100644
index 0000000..aaf6f42
--- /dev/null
+++ b/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
@@ -0,0 +1,40 @@
+From 0e033e04c2678dbbe74a46b23fffb7bb918c288e Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Date: Tue, 5 Nov 2013 02:41:27 +0100
+Subject: [PATCH] ipv6: fix headroom calculation in udp6_ufo_fragment
+
+Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
+fragmentation for tunnel traffic.") changed the calculation if
+there is enough space to include a fragment header in the skb from a
+skb->mac_header dervived one to skb_headroom. Because we already peeled
+off the skb to transport_header this is wrong. Change this back to check
+if we have enough room before the mac_header.
+
+This fixes a panic Saran Neti reported. He used the tbf scheduler which
+skb_gso_segments the skb. The offsets get negative and we panic in memcpy
+because the skb was erroneously not expanded at the head.
+
+Reported-by: Saran Neti <Saran.Neti at telus.com>
+Cc: Pravin B Shelar <pshelar at nicira.com>
+Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/udp_offload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
+index 08e23b0..e7359f9 100644
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -90,7 +90,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
+
+ /* Check if there is enough headroom to insert fragment header. */
+ tnl_hlen = skb_tnl_header_len(skb);
+- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
++ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
+ if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
+ goto out;
+ }
+--
+1.8.3.1
+
diff --git a/kernel.spec b/kernel.spec
index 3a980ff..4c8b3b4 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -742,6 +742,9 @@ Patch25140: drm-qxl-backport-fixes-for-Fedora.patch
Patch25141: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
+#CVE-2013-4563 rhbz 1030015 1030017
+Patch25145: ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1452,6 +1455,9 @@ ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch
ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch
+#CVE-2013-4563 rhbz 1030015 1030017
+ApplyPatch ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2255,6 +2261,9 @@ fi
# ||----w |
# || ||
%changelog
+* Thu Nov 14 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017)
+
* Sat Nov 09 2013 Josh Boyer <jwboyer at fedoraproject.org> - 3.12.0-2
- Add patch from Daniel Stone to avoid high order allocations in evdev
- Add qxl backport fixes from Dave Airlie
More information about the scm-commits
mailing list