Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 28 Sep 2013 08:30:06 +0200
From: Hannes Frederic Sowa <>
Subject: linux kernel memory corruption with ipv6 udp offloading


I guess the following patch might be worth a CVE:

| [PATCH] ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
| In the following scenario the socket is corked:
| If the first UDP packet is larger then the mtu we try to append it to the
| write queue via ip6_ufo_append_data. A following packet, which is smaller
| than the mtu would be appended to the already queued up gso-skb via
| plain ip6_append_data. This causes random memory corruptions.
| In ip6_ufo_append_data we also have to be careful to not queue up the
| same skb multiple times. So setup the gso frame only when no first skb
| is available.
| This also fixes a shortcoming where we add the current packet's length to
| cork->length but return early because of a packet > mtu with dontfrag set
| (instead of sutracting it again).
| Found with trinity.

While writing a reproducer to test this patch, I have seen silent memory
corruption (which later manifests as e.g. a panic or hangs on shutdown)
and oopses.

It has been reported to netdev by Dmitry Vyukov <>
and was found with the AddressSanitizer for the kernel[1] and trinity.

The patch is queued up for stable:
and is already committed to linux-net:

I guess the erroneous behaviour was introduced here:
| git describe --contains e89e9cf539a28df7d0eb1d0a545368e9920b34ac
| v2.6.15-rc1~731^2~31

The reproducers are available on request.




Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.