From 65f14f4adcba1d3e04b7d3c8e4094cd9a6e86711 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Nov 01 2013 12:23:27 +0000 Subject: CVE-2013-4348 net: deadloop path in skb_flow_dissect (rhbz 1007939 1025647) --- diff --git a/kernel.spec b/kernel.spec index 72dd406..5d44628 100644 --- a/kernel.spec +++ b/kernel.spec @@ -795,6 +795,9 @@ Patch25137: cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch #rhbz 995782 Patch25138: intel-3.12-stable-fixes.patch +#CVE-2013-4348 rhbz 1007939 1025647 +Patch25139: net-flow_dissector-fail-on-evil-iph-ihl.patch + # END OF PATCH DEFINITIONS %endif @@ -1527,6 +1530,9 @@ ApplyPatch cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch #rhbz 995782 ApplyPatch intel-3.12-stable-fixes.patch +#CVE-2013-4348 rhbz 1007939 1025647 +ApplyPatch net-flow_dissector-fail-on-evil-iph-ihl.patch + # END OF PATCH APPLICATIONS %endif @@ -2368,6 +2374,9 @@ fi # ||----w | # || || %changelog +* Fri Nov 01 2013 Josh Boyer +- CVE-2013-4348 net: deadloop path in skb_flow_dissect (rhbz 1007939 1025647) + * Thu Oct 31 2013 Josh Boyer - Fix display regression on Dell XPS 13 machines (rhbz 995782) diff --git a/net-flow_dissector-fail-on-evil-iph-ihl.patch b/net-flow_dissector-fail-on-evil-iph-ihl.patch new file mode 100644 index 0000000..aba3ea8 --- /dev/null +++ b/net-flow_dissector-fail-on-evil-iph-ihl.patch @@ -0,0 +1,82 @@ +Path: news.gmane.org!not-for-mail +From: Jason Wang +Newsgroups: gmane.linux.kernel,gmane.linux.network +Subject: [PATCH net] net: flow_dissector: fail on evil iph->ihl +Date: Fri, 1 Nov 2013 15:01:10 +0800 +Lines: 34 +Approved: news@gmane.org +Message-ID: <1383289270-18952-1-git-send-email-jasowang@redhat.com> +NNTP-Posting-Host: plane.gmane.org +X-Trace: ger.gmane.org 1383289296 18578 80.91.229.3 (1 Nov 2013 07:01:36 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Fri, 1 Nov 2013 07:01:36 +0000 (UTC) +Cc: Jason Wang , + Petr Matousek , + "Michael S. Tsirkin" , + Daniel Borkmann +To: davem@davemloft.net, edumazet@google.com, netdev@vger.kernel.org, + linux-kernel@vger.kernel.org +Original-X-From: linux-kernel-owner@vger.kernel.org Fri Nov 01 08:01:39 2013 +Return-path: +Envelope-to: glk-linux-kernel-3@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1Vc8jh-00034h-9Y + for glk-linux-kernel-3@plane.gmane.org; Fri, 01 Nov 2013 08:01:37 +0100 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1753899Ab3KAHB3 (ORCPT ); + Fri, 1 Nov 2013 03:01:29 -0400 +Original-Received: from mx1.redhat.com ([209.132.183.28]:8081 "EHLO mx1.redhat.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752399Ab3KAHB1 (ORCPT ); + Fri, 1 Nov 2013 03:01:27 -0400 +Original-Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rA171QgE005079 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Fri, 1 Nov 2013 03:01:26 -0400 +Original-Received: from jason-ThinkPad-T430s.nay.redhat.com (dhcp-66-71-71.eng.nay.redhat.com [10.66.71.71] (may be forged)) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id rA171Jpr015790; + Fri, 1 Nov 2013 03:01:20 -0400 +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Original-Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel:1588387 gmane.linux.network:289242 +Archived-At: + +We don't validate iph->ihl which may lead a dead loop if we meet a IPIP +skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl +is evil (less than 5). + +This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae +(rps: support IPIP encapsulation). + +Cc: Eric Dumazet +Cc: Petr Matousek +Cc: Michael S. Tsirkin +Cc: Daniel Borkmann +Signed-off-by: Jason Wang +--- +This patch is needed for stable. +--- + net/core/flow_dissector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 8d7d0dd..143b6fd 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -40,7 +40,7 @@ again: + struct iphdr _iph; + ip: + iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); +- if (!iph) ++ if (!iph || iph->ihl < 5) + return false; + + if (ip_is_fragment(iph)) +-- +1.8.1.2 +