FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 09-30-2011, 02:31 AM
Ben Hutchings
 
Default Bug#643817: Fix for CVE-2011-2699 can result in crash in VM hosts

Package: linux-2.6
Version: 2.6.32-36
Severity: serious
Tags: security patch

VM guests using the virtio_net driver may take advantage of UFO (UDP
fragmentation offload) which results in the VM host performing
fragmentation. As discussed in
<http://thread.gmane.org/gmane.linux.kernel/1196272>, the new IPv6
fragment ID generator will crash in this case because the expected
routing context is missing.

No fix is yet available, so we should revert the original fix and
sort this out properly later.

Ben.

-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110930023142.13725.55613.reportbug@deadeye">http ://lists.debian.org/20110930023142.13725.55613.reportbug@deadeye
 
Old 12-28-2011, 08:02 PM
Ben Hutchings
 
Default Bug#643817: Fix for CVE-2011-2699 can result in crash in VM hosts

On Wed, 2011-12-28 at 01:11 +0100, Ben Hutchings wrote:
> On Sat, 2011-12-24 at 12:52 +0100, Moritz Mühlenhoff wrote:
> > On Fri, Sep 30, 2011 at 03:31:42AM +0100, Ben Hutchings wrote:
> > > Package: linux-2.6
> > > Version: 2.6.32-36
> > > Severity: serious
> > > Tags: security patch
> > >
> > > VM guests using the virtio_net driver may take advantage of UFO (UDP
> > > fragmentation offload) which results in the VM host performing
> > > fragmentation. As discussed in
> > > <http://thread.gmane.org/gmane.linux.kernel/1196272>, the new IPv6
> > > fragment ID generator will crash in this case because the expected
> > > routing context is missing.
> > >
> > > No fix is yet available, so we should revert the original fix and
> > > sort this out properly later.
> >
> > Do you know if a fix for 2.6.32 is now available?
>
> I *think* that we should be able to use this fix from 3.0-stable:
>
> commit a1b7ab0836a56fa4c9578f88ba1042398d7d9316
> Author: Jason Wang <jasowang@redhat.com>
> Date: Sun Oct 9 10:56:44 2011 +0800
>
> ipv6: fix NULL dereference in udp6_ufo_fragment()

Try as I might, I couldn't reproduce the crash that this fixes. But the
fix certainly seems reasonable. And there shouldn't be any other
callers that need to be considered, as they would have caused a build
failure in 2.6.32-36.

I'm attaching my test program that sends a packet requiring UFO through
a tun device. You will need to enable forwarding from the tun device to
some other device, add routes and select source and destination addresses
such that the kernel will try to forward the packet.

Ben.

--
Ben Hutchings
Hoare's Law of Large Problems:
Inside every large problem is a small problem struggling to get out.
 

Thread Tools




All times are GMT. The time now is 08:48 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org