Bugzilla – Bug 848042
VUL-1: CVE-2013-4563: kernel: net: Large UDP packet over IPv6 over UFO-enabled device with TBF qdisc (No corking needed)
Last modified: 2016-04-28 07:15:36 UTC
bugbot adjusting priority
public via oss-sec Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp fragmentation for tunnel traffic.") changed the calculation if there is enough space to include a fragment header in the skb from a skb->mac_header dervived one to skb_headroom. Because we already peeled off the skb to transport_header this is wrong. This fixes a panic Saran Neti reported. He used the tbf scheduler which skb_gso_segments the skb. The offsets get negative and we panic in memcpy because the skb was erroneously not expanded at the head. Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1e2bd517c108816220f262d795 4b697af03b5f9c Introduced in: v3.10-rc5 Upstream fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0e033e0 References: http://marc.info/?l=linux-netdev&m=138305762205012&w=2 https://bugzilla.redhat.com/show_bug.cgi?id=1030015 Acknowledgements: Red Hat would like to thank Saran Neti of TELUS Security Labs for reporting this issue.
3.10 - so only openSUSE 13.1 and Factory.
Applied to 13.1. Does Factory get synced in?
factory will just get the regular version upgrades, no need to apply it there I think.
Ok, closing.
openSUSE-SU-2014:0205-1: An update that solves 8 vulnerabilities and has 13 fixes is now available. Category: security (important) Bug References: 733022,773058,838024,844513,845621,846529,848042,849021,850072,852652,852656,852931,853050,853051,853052,853053,854175,854722,856294,859804,860993 CVE References: CVE-2013-4511,CVE-2013-4563,CVE-2013-4587,CVE-2013-6367,CVE-2013-6368,CVE-2013-6376,CVE-2013-6432,CVE-2014-0038 Sources used: openSUSE 13.1 (src): kernel-docs-3.11.10-7.3, kernel-source-3.11.10-7.1, kernel-syms-3.11.10-7.1