From 6bbeff05bae28ea3be5c47414b831bed2af252cc Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 22 Nov 2013 01:18:23 +0000 Subject: [PATCH] Update to 3.12.1 svn path=/dists/trunk/linux/; revision=20818 --- debian/changelog | 5 +- debian/patches/bugfix/all/CVE-2013-4348.patch | 82 ------------------- debian/patches/series | 1 - 3 files changed, 4 insertions(+), 84 deletions(-) delete mode 100644 debian/patches/bugfix/all/CVE-2013-4348.patch diff --git a/debian/changelog b/debian/changelog index 74d5297c5..11b9a573f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,7 @@ -linux (3.12-1~exp2) UNRELEASED; urgency=low +linux (3.12.1-1~exp1) UNRELEASED; urgency=low + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.1 [ Ben Hutchings ] * [rt] Update to 3.12.0-rt2 and reenable diff --git a/debian/patches/bugfix/all/CVE-2013-4348.patch b/debian/patches/bugfix/all/CVE-2013-4348.patch deleted file mode 100644 index 4a0dbd2f1..000000000 --- a/debian/patches/bugfix/all/CVE-2013-4348.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Ben Hutchings -Date: Thu, 31 Oct 2013 02:24:12 +0000 -Subject: net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348) - -Jason Wang writes: -(via linux-distros@vs.openwall.org etc.) -> There's a deadloop path in skb_flow_dissect(): -> -> bool skb_flow_dissect(const struct sk_buff *skb, struct flow_keys *flow) -> { -> .. -> -> ip: -> iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); -> if (!iph) -> return false; -> -> if (ip_is_fragment(iph)) -> ip_proto = 0; -> else -> ip_proto = iph->protocol; -> iph_to_flow_copy_addrs(flow, iph); -> nhoff += iph->ihl * 4; -> break; -> .. -> -> Here the code does not check whether iph->ihl is zero which may cause -> deadloop if a malicous IPIP packet whose ihl is zero. See the above -> codes for IPIP. Since the pointer was not move ahead. -> -> .. -> case IPPROTO_IPIP: -> proto = htons(ETH_P_IP); -> goto ip; -> .. -> } -> -> skb_flow_dissect() were used by several places: -> - packet scheduler that want classify flows -> - skb_get_rxhash() that will be used by RPS, vxlan, multiqueue -> tap,macvtap packet fanout -> - skb_probe_transport_header() which was used for probing transport -> header for DODGY packets -> - __skb_get_poff() which will be used by socket filter -> -> So this could be used to DOS both local and remote machine. -> -> I was able to -> -> - DOS the local host machine -> - DOS the local host machine by run the reproducer in guest -> - DOS one guest with RPS enabled by running the reproducer in another -> guest in the same host. -> -> I believe it could be also used to DOS a remote machine, but I didn't try. -> -> The issue were introduced by commit -> 0744dd00c1b1be99a25b62b1b48df440e82e57e0 (net: introduce -> skb_flow_dissect()). -> -> The fix looks easy, just fail when iph->ihl is zero. - -Accepting any positive value means we can still be made to loop nearly -skb->len / 4 times in some cases. But all values < 5 are invalid, so -let's reject them and reduce that to skb->len / 20. - -We should probably set a constant limit on the loop count as well, but -I'm not sure what the limit should be. - -Signed-off-by: Ben Hutchings ---- ---- a/net/core/flow_dissector.c -+++ b/net/core/flow_dissector.c -@@ -40,7 +40,7 @@ again: - struct iphdr _iph; - ip: - iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); -- if (!iph) -+ if (!iph || iph->ihl < 5) - return false; - - if (ip_is_fragment(iph)) diff --git a/debian/patches/series b/debian/patches/series index 593e67c08..41772145a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -75,5 +75,4 @@ features/all/mvsas-Recognise-device-subsystem-9485-9485-as-88SE94.patch bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch -bugfix/all/CVE-2013-4348.patch bugfix/all/perf-ftrace-Fix-paranoid-level-for-enabling-function.patch