Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 28 Sep 2013 19:02:05 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Hannes Frederic Sowa <hannes@...essinduktion.org>, dvyukov@...gle.com
Subject: Re: linux kernel memory corruption with ipv6 udp offloading

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/28/2013 12:30 AM, Hannes Frederic Sowa wrote:
> Hi!
> 
> I guess the following patch might be worth a CVE:
> 
> | [PATCH] ipv6: udp packets following an UFO enqueued packet need
> also be handled by UFO | | In the following scenario the socket is
> corked: | If the first UDP packet is larger then the mtu we try to
> append it to the | write queue via ip6_ufo_append_data. A following
> packet, which is smaller | than the mtu would be appended to the
> already queued up gso-skb via | plain ip6_append_data. This causes
> random memory corruptions. | | In ip6_ufo_append_data we also have
> to be careful to not queue up the | same skb multiple times. So
> setup the gso frame only when no first skb | is available. | | This
> also fixes a shortcoming where we add the current packet's length
> to | cork->length but return early because of a packet > mtu with
> dontfrag set | (instead of sutracting it again). | | Found with
> trinity.
> 
> While writing a reproducer to test this patch, I have seen silent
> memory corruption (which later manifests as e.g. a panic or hangs
> on shutdown) and oopses.
> 
> It has been reported to netdev by Dmitry Vyukov
> <dvyukov@...gle.com> and was found with the AddressSanitizer for
> the kernel[1] and trinity.
> 
> The patch is queued up for stable: 
> http://patchwork.ozlabs.org/patch/276835/ and is already committed
> to linux-net: 
> https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=2811ebac2521ceac84f2bdae402455baa6a7fb47
>
>  I guess the erroneous behaviour was introduced here: | git
> describe --contains e89e9cf539a28df7d0eb1d0a545368e9920b34ac |
> v2.6.15-rc1~731^2~31
> 
> The reproducers are available on request.
> 
> [1]
> https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel
>
>  Thanks,
> 
> Hannes
> 

Please use CVE-2013-4387 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSR3wNAAoJEBYNRVNeJnmTfCQQAIoM5+fTHyrE4K9CGUqN5lsw
we8cFnBHFeG3PcRQlaR2ItDOmFoMruqSEEqMhfnL9CUYvuV7rVlWc+2Xw4U2r995
6heZ3VfLyarL7lbdcYDej9X3CiL9I33+FYCvyZdxTF8ulwkAbnOPD+eqFk6izv0m
ICg0Rl4rhieMLlGTH3cfeNDCO8uFls5vCJ18pqgKiT5ioj+TyshHqiyA+2uqwUqj
s6OnxZ2CJa6oTRvdfHC2OJFSXB4OqylN10OK8uypoydJ1UrmEJGnBH9UBD8ltLmo
Ccg7SndC/QLa+gwn5MIRGBJdijkzHhFyCfTjjT4JhsRu+yI3loHbMvPf1sGfcNXL
f75ohgvz1aAsvHGTyBWtt/zwImNjUoMLRuqpDRIN6Fb9OfdphmW0uXVZG0Om8Jjx
T2HtsJDPKphgcDhM/YuTQJ/4jMKUUK3XzTBstQIKXxEQX5nz041z/Zs5Z5ibVmaS
iikCqhx78dh+LMGWV4K+1HkNZQpoTRYCbwRdRT4PHvyoIjYV2luFcsAJcDIIYhzI
g3A/df6/eFmNhJn02kzd0g33O4kbvNz3MQmoEhBSLalmHyqwKrtWhVNZG419M4tC
C69t0tpxPJoNIfoRQ6sqJsmSoyJAeu4417Ut9lB0268BVGVLm2gH186hwMSnzBld
mziNFW/q9kVxhJRPAom8
=/r10
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.