FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 11-24-2011, 04:26 PM
Stefan Bader
 
Default CVE-2011-4326

A bug was found in the way headroom check was performed in
udp6_ufo_fragment() function. A remote attacker could use this flaw to
crash the system.

Natty to Precise got the fix pending at least. Anything before 2.6.32
is not affected. For the rest it is a clean cherry-pick all the way
to Lucid.

Somehow I am not sure anymore which topic branches are rebased and which
are not. Hopefully the magic status will tell as soon as the master
branches are updated and pushed...

-Stefan
 
Old 11-24-2011, 04:36 PM
Paolo Pisati
 
Default CVE-2011-4326

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/24/2011 06:26 PM, Stefan Bader wrote:
>
> Somehow I am not sure anymore which topic branches are rebased and
> which are not. Hopefully the magic status will tell as soon as the
> master branches are updated and pushed...

L/dove (that we don't support anymore), M/dove and O/omap4 are rebasable.

All the others are not.

P/omap4, hopefully, will be.
- --
bye,
p.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOzoCxAAoJEJdscTmfuQbQ2JoP/1y0P9c9tO6M0+arE54YVD0L
QdBIz4eDlip5AYDVP98nZLg24WKsQSHAMSW3+/+ptejM1poqF3sgQc1zeayknr/U
mCLKyrOlf+YvzQBc7V2DmMvRDJAbXjdQKhxIiUaidv01C5ZSzN S/5XLvqYsDilSg
R5gwtUETM+JxDj3EuGJnmN81mWGTbsCUpB9K7vzQn3T+6jpEFr HElSeV1eAx8toh
zAlhHYH9DuBkaVWr4BiCmtoI/T5qXe2hh7wrgAJpdN3UhlGot3QDnMyG5QP08FZk
ssZVCQ4J+mM/NbrWKmY0sc9hPkkh0be20vrTwULFiXkH4iBingojZ1RLKBQPtG at
YMu8FMXno9pXIW/Q/mVEHnAwh8lovCx95fcFfK228uL7VUsoUFqazj/Eq7BzxAsX
HCJI4KgFip2Gh0bRNXW06mlPQ3PeBQuqXA9fi37rIhhEDntbHC IHs4bC5AjK6pU5
9bkTfvZ5DfcFP/uHypumXBJT/Gs6wX+OEZusVi54B5bc1J3KhM8zCBizBeL01rnm
2hEBn5JGYR2LgeAQdBTru8yUvOdej0uIrV713qwM/B/J475U3H2p+NcpAeaiW5Mb
OrBNsHUrzYXUpZUuStem6HYOvEPeGSRi3RCKrrnQgbOIzvJDls X1c28GE2vkyenA
KdTxDJu+9LbxUSDPst9l
=KPEO
-----END PGP SIGNATURE-----

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 11-25-2011, 07:44 AM
Andy Whitcroft
 
Default CVE-2011-4326

On Thu, Nov 24, 2011 at 06:26:58PM +0100, Stefan Bader wrote:
> A bug was found in the way headroom check was performed in
> udp6_ufo_fragment() function. A remote attacker could use this flaw to
> crash the system.
>
> Natty to Precise got the fix pending at least. Anything before 2.6.32
> is not affected. For the rest it is a clean cherry-pick all the way
> to Lucid.
>
> Somehow I am not sure anymore which topic branches are rebased and which
> are not. Hopefully the magic status will tell as soon as the master
> branches are updated and pushed...

lucid/ec2 is a rebase (though has manual intervention)

lucid/fsl-imx51 is not a rebase.

lucid/mvl-dove & maverick/mvl-dove are rebased (lucid is off support but
we rebase that to get maverick/mvl-dove).

ti-omap4 before oneiric are not rebased, oneiric and later are.

All of the lts-backport branches are effectivly rebased too.

You can find the rebase applications I consider from a CVE standpoint in
the kteam-tools/cve-tools/cve-rebase-transfer at the bottom.

> From a9cf73ea7ff78f52662c8658d93c226effbbedde Mon Sep 17 00:00:00 2001
> From: Shan Wei <shanwei@cn.fujitsu.com>
> Date: Tue, 19 Apr 2011 22:52:49 +0000
> Subject: [PATCH] ipv6: udp: fix the wrong headroom check
>
> At this point, skb->data points to skb_transport_header.
> So, headroom check is wrong.
>
> For some case:bridge(UFO is on) + eth device(UFO is off),
> there is no enough headroom for IPv6 frag head.
> But headroom check is always false.
>
> This will bring about data be moved to there prior to skb->head,
> when adding IPv6 frag header to skb.
>
> Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
> Signed-off-by: David S. Miller <davem@davemloft.net>
>
> BugLink: http://bugs.launchpad.net/bugs/894373
> CVE-2011-4326
> (cherry-picked from commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
> net/ipv6/udp.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 15c3774..9e305d74 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
> skb->ip_summed = CHECKSUM_NONE;
>
> /* Check if there is enough headroom to insert fragment header. */
> - if ((skb_headroom(skb) < frag_hdr_sz) &&
> + if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
> pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
> goto out;
>

Matches the upstream commit and seems to do what is claimed.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 11-25-2011, 08:58 AM
Andy Whitcroft
 
Default CVE-2011-4326

Applied to lucid, maverick, maverick/ti-omap4, and natty/ti-omap4.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 08:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org