diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2015-01-06 09:17:11 -0500 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2015-01-06 09:17:13 -0500 |
commit | d994f31028496ec7022952c849624cd1ff304991 (patch) | |
tree | 295a40f03e7a03d63c2ec0251ee3e731cb22518b | |
parent | 2dd7a3b242b8149c8e5c897b890a29ce4fea5f7a (diff) | |
download | kernel-d994f31028496ec7022952c849624cd1ff304991.tar.gz kernel-d994f31028496ec7022952c849624cd1ff304991.tar.xz kernel-d994f31028496ec7022952c849624cd1ff304991.zip |
CVE-2014-9428 remote DoS via batman-adv (rhbz 1178826 1178833)
-rw-r--r-- | batman-adv-Calculate-extra-tail-size-based-on-queued.patch | 61 | ||||
-rw-r--r-- | kernel.spec | 7 |
2 files changed, 68 insertions, 0 deletions
diff --git a/batman-adv-Calculate-extra-tail-size-based-on-queued.patch b/batman-adv-Calculate-extra-tail-size-based-on-queued.patch new file mode 100644 index 00000000..32ad9694 --- /dev/null +++ b/batman-adv-Calculate-extra-tail-size-based-on-queued.patch @@ -0,0 +1,61 @@ +From: Sven Eckelmann <sven@narfation.org> +Date: Sat, 20 Dec 2014 13:48:55 +0100 +Subject: [PATCH] batman-adv: Calculate extra tail size based on queued + fragments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The fragmentation code was replaced in 610bfc6bc99bc83680d190ebc69359a05fc7f605 +("batman-adv: Receive fragmented packets and merge"). The new code provided a +mostly unused parameter skb for the merging function. It is used inside the +function to calculate the additionally needed skb tailroom. But instead of +increasing its own tailroom, it is only increasing the tailroom of the first +queued skb. This is not correct in some situations because the first queued +entry can be a different one than the parameter. + +An observed problem was: + +1. packet with size 104, total_size 1464, fragno 1 was received + - packet is queued +2. packet with size 1400, total_size 1464, fragno 0 was received + - packet is queued at the end of the list +3. enough data was received and can be given to the merge function + (1464 == (1400 - 20) + (104 - 20)) + - merge functions gets 1400 byte large packet as skb argument +4. merge function gets first entry in queue (104 byte) + - stored as skb_out +5. merge function calculates the required extra tail as total_size - skb->len + - pskb_expand_head tail of skb_out with 64 bytes +6. merge function tries to squeeze the extra 1380 bytes from the second queued + skb (1400 byte aka skb parameter) in the 64 extra tail bytes of skb_out + +Instead calculate the extra required tail bytes for skb_out also using skb_out +instead of using the parameter skb. The skb parameter is only used to get the +total_size from the last received packet. This is also the total_size used to +decide that all fragments were received. + +Reported-by: Philipp Psurek <philipp.psurek@gmail.com> +Signed-off-by: Sven Eckelmann <sven@narfation.org> +Acked-by: Martin Hundebøll <martin@hundeboll.net> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/batman-adv/fragmentation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c +index fc1835c6bb40..8af3461d18d2 100644 +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -251,7 +251,7 @@ batadv_frag_merge_packets(struct hlist_head *chain, struct sk_buff *skb) + kfree(entry); + + /* Make room for the rest of the fragments. */ +- if (pskb_expand_head(skb_out, 0, size - skb->len, GFP_ATOMIC) < 0) { ++ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { + kfree_skb(skb_out); + skb_out = NULL; + goto free; +-- +2.1.0 + diff --git a/kernel.spec b/kernel.spec index c14910c5..bcc9256c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -676,6 +676,9 @@ Patch26120: userns-Unbreak-the-unprivileged-remount-tests.patch #rhbz 1163927 Patch26121: Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch +#CVE-2014-9428 rhbz 1178826,1178833 +Patch26122: batman-adv-Calculate-extra-tail-size-based-on-queued.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1461,6 +1464,9 @@ ApplyPatch userns-Unbreak-the-unprivileged-remount-tests.patch #rhbz 1163927 ApplyPatch Set-UID-in-sess_auth_rawntlmssp_authenticate-too.patch +#CVE-2014-9428 rhbz 1178826,1178833 +ApplyPatch batman-adv-Calculate-extra-tail-size-based-on-queued.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2336,6 +2342,7 @@ fi # || || %changelog * Tue Jan 06 2015 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2014-9428 remote DoS via batman-adv (rhbz 1178826 1178833) - Fix CIFS login issue (rhbz 1163927) * Mon Dec 29 2014 Josh Boyer <jwboyer@fedoraproject.org> |