Bug#643817: Fix for CVE-2011-2699 can result in crash in VM hosts
On Wed, 2011-12-28 at 01:11 +0100, Ben Hutchings wrote:
> On Sat, 2011-12-24 at 12:52 +0100, Moritz Mühlenhoff wrote:
> > On Fri, Sep 30, 2011 at 03:31:42AM +0100, Ben Hutchings wrote:
> > > Package: linux-2.6
> > > Version: 2.6.32-36
> > > Severity: serious
> > > Tags: security patch
> > >
> > > VM guests using the virtio_net driver may take advantage of UFO (UDP
> > > fragmentation offload) which results in the VM host performing
> > > fragmentation. As discussed in
> > > <http://thread.gmane.org/gmane.linux.kernel/1196272>, the new IPv6
> > > fragment ID generator will crash in this case because the expected
> > > routing context is missing.
> > >
> > > No fix is yet available, so we should revert the original fix and
> > > sort this out properly later.
> > Do you know if a fix for 2.6.32 is now available?
> I *think* that we should be able to use this fix from 3.0-stable:
> commit a1b7ab0836a56fa4c9578f88ba1042398d7d9316
> Author: Jason Wang <email@example.com>
> Date: Sun Oct 9 10:56:44 2011 +0800
> ipv6: fix NULL dereference in udp6_ufo_fragment()
Try as I might, I couldn't reproduce the crash that this fixes. But the
fix certainly seems reasonable. And there shouldn't be any other
callers that need to be considered, as they would have caused a build
failure in 2.6.32-36.
I'm attaching my test program that sends a packet requiring UFO through
a tun device. You will need to enable forwarding from the tun device to
some other device, add routes and select source and destination addresses
such that the kernel will try to forward the packet.
Hoare's Law of Large Problems:
Inside every large problem is a small problem struggling to get out.