Bugzilla – Bug 843430
VUL-1: CVE-2013-4387: kernel: memory corruption with ipv6 udp offloading
Last modified: 2014-04-17 09:08:46 UTC
is public, via oss-sec CVE-2013-4387 From: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Sat, 28 Sep 2013 08:30:06 +0200 Subject: [oss-security] linux kernel memory corruption with ipv6 udp offloading Hi! I guess the following patch might be worth a CVE: | [PATCH] ipv6: udp packets following an UFO enqueued packet need also be handled by UFO | | In the following scenario the socket is corked: | If the first UDP packet is larger then the mtu we try to append it to the | write queue via ip6_ufo_append_data. A following packet, which is smaller | than the mtu would be appended to the already queued up gso-skb via | plain ip6_append_data. This causes random memory corruptions. | | In ip6_ufo_append_data we also have to be careful to not queue up the | same skb multiple times. So setup the gso frame only when no first skb | is available. | | This also fixes a shortcoming where we add the current packet's length to | cork->length but return early because of a packet > mtu with dontfrag set | (instead of sutracting it again). | | Found with trinity. While writing a reproducer to test this patch, I have seen silent memory corruption (which later manifests as e.g. a panic or hangs on shutdown) and oopses. It has been reported to netdev by Dmitry Vyukov <dvyukov@google.com> and was found with the AddressSanitizer for the kernel[1] and trinity. The patch is queued up for stable: http://patchwork.ozlabs.org/patch/276835/ and is already committed to linux-net: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=2811ebac2521ceac84f2bdae402455baa6a7fb47 I guess the erroneous behaviour was introduced here: | git describe --contains e89e9cf539a28df7d0eb1d0a545368e9920b34ac | v2.6.15-rc1~731^2~31 The reproducers are available on request. [1] https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Thanks, Hannes
bugbot adjusting priority
For SLE11-SP3, it's already included in 3.0.100. Do we need for SLE10-SP4, too?
I applied to SLES10-SP4-LTSS branch, too. SLES10-SP3-TD was already fixed by Michal K. So, I assign this bug back to security team.
Actually this is handled in bug 847672. I aligned the patches in SLES10-SP4-LTSS with the patches in SLES10-SP3-TD in the end.
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms Products: SLE-DEBUGINFO 10-SP4 (s390x) SLE-SERVER 10-SP4-LTSS (s390x)
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo Products: SLE-DEBUGINFO 10-SP4 (i386) SLE-SERVER 10-SP4-LTSS (i386)
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo Products: SLE-DEBUGINFO 10-SP4 (x86_64) SLE-SERVER 10-SP4-LTSS (x86_64)
SUSE-SU-2014:0536-1: An update that solves 42 vulnerabilities and has 8 fixes is now available. Category: security (important) Bug References: 702014,703156,790920,798050,805226,806219,808827,809889,809891,809892,809893,809894,809898,809899,809900,809901,809903,811354,816668,820338,822722,823267,824295,825052,826102,826551,827362,827749,827750,827855,827983,828119,830344,831058,832603,835839,842239,843430,845028,847672,848321,849765,850241,851095,852558,853501,857597,858869,858870,858872 CVE References: CVE-2011-2492,CVE-2011-2494,CVE-2012-6537,CVE-2012-6539,CVE-2012-6540,CVE-2012-6541,CVE-2012-6542,CVE-2012-6544,CVE-2012-6545,CVE-2012-6546,CVE-2012-6547,CVE-2012-6549,CVE-2013-0343,CVE-2013-0914,CVE-2013-1827,CVE-2013-2141,CVE-2013-2164,CVE-2013-2206,CVE-2013-2232,CVE-2013-2234,CVE-2013-2237,CVE-2013-2888,CVE-2013-2893,CVE-2013-2897,CVE-2013-3222,CVE-2013-3223,CVE-2013-3224,CVE-2013-3228,CVE-2013-3229,CVE-2013-3231,CVE-2013-3232,CVE-2013-3234,CVE-2013-3235,CVE-2013-4162,CVE-2013-4387,CVE-2013-4470,CVE-2013-4483,CVE-2013-4588,CVE-2013-6383,CVE-2014-1444,CVE-2014-1445,CVE-2014-1446 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): kernel-bigsmp-2.6.16.60-0.105.1, kernel-debug-2.6.16.60-0.105.1, kernel-default-2.6.16.60-0.105.1, kernel-kdump-2.6.16.60-0.105.1, kernel-kdumppae-2.6.16.60-0.105.1, kernel-smp-2.6.16.60-0.105.1, kernel-source-2.6.16.60-0.105.1, kernel-syms-2.6.16.60-0.105.1, kernel-vmi-2.6.16.60-0.105.1, kernel-vmipae-2.6.16.60-0.105.1, kernel-xen-2.6.16.60-0.105.1, kernel-xenpae-2.6.16.60-0.105.1
Fixed and released. Closing bug.