Revert "Revert "net: increase fragment memory usage limits""
4.19 includes a better fix for CVE-2018-5391.
This commit is contained in:
parent
80b5a7c714
commit
841b031a9f
|
@ -31,6 +31,8 @@ linux (4.19~rc3-1~exp2) UNRELEASED; urgency=medium
|
||||||
* linux-image-*-signed-template: Override lintian warnings about non-
|
* linux-image-*-signed-template: Override lintian warnings about non-
|
||||||
executable scripts
|
executable scripts
|
||||||
* [ia64] udeb: Fix priority of sn-modules
|
* [ia64] udeb: Fix priority of sn-modules
|
||||||
|
* Revert "Revert "net: increase fragment memory usage limits"", as 4.19
|
||||||
|
includes a better fix for CVE-2018-5391
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Mon, 10 Sep 2018 22:25:53 +0100
|
-- Ben Hutchings <ben@decadent.org.uk> Mon, 10 Sep 2018 22:25:53 +0100
|
||||||
|
|
||||||
|
|
|
@ -1,58 +0,0 @@
|
||||||
From: Salvatore Bonaccorso <carnil@debian.org>
|
|
||||||
Date: Sat, 28 Jul 2018 16:48:31 +0200
|
|
||||||
Subject: [PATCH] Revert "net: increase fragment memory usage limits"
|
|
||||||
|
|
||||||
This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4.
|
|
||||||
|
|
||||||
Revert commit as mitigation to FragmentSmack (CVE-2018-5391)
|
|
||||||
[bwh: Adjust context to apply to sid]
|
|
||||||
---
|
|
||||||
include/net/ipv6.h | 4 ++--
|
|
||||||
net/ipv4/ip_fragment.c | 22 +++++++---------------
|
|
||||||
2 files changed, 9 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
--- a/include/net/ipv6.h
|
|
||||||
+++ b/include/net/ipv6.h
|
|
||||||
@@ -379,8 +379,8 @@ static inline bool ipv6_accept_ra(struct
|
|
||||||
idev->cnf.accept_ra;
|
|
||||||
}
|
|
||||||
|
|
||||||
-#define IPV6_FRAG_HIGH_THRESH (4 * 1024*1024) /* 4194304 */
|
|
||||||
-#define IPV6_FRAG_LOW_THRESH (3 * 1024*1024) /* 3145728 */
|
|
||||||
+#define IPV6_FRAG_HIGH_THRESH (256 * 1024) /* 262144 */
|
|
||||||
+#define IPV6_FRAG_LOW_THRESH (192 * 1024) /* 196608 */
|
|
||||||
#define IPV6_FRAG_TIMEOUT (60 * HZ) /* 60 seconds */
|
|
||||||
|
|
||||||
int __ipv6_addr_type(const struct in6_addr *addr);
|
|
||||||
--- a/net/ipv4/ip_fragment.c
|
|
||||||
+++ b/net/ipv4/ip_fragment.c
|
|
||||||
@@ -788,22 +788,14 @@ static int __net_init ipv4_frags_init_ne
|
|
||||||
{
|
|
||||||
int res;
|
|
||||||
|
|
||||||
- /* Fragment cache limits.
|
|
||||||
- *
|
|
||||||
- * The fragment memory accounting code, (tries to) account for
|
|
||||||
- * the real memory usage, by measuring both the size of frag
|
|
||||||
- * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue))
|
|
||||||
- * and the SKB's truesize.
|
|
||||||
- *
|
|
||||||
- * A 64K fragment consumes 129736 bytes (44*2944)+200
|
|
||||||
- * (1500 truesize == 2944, sizeof(struct ipq) == 200)
|
|
||||||
- *
|
|
||||||
- * We will commit 4MB at one time. Should we cross that limit
|
|
||||||
- * we will prune down to 3MB, making room for approx 8 big 64K
|
|
||||||
- * fragments 8x128k.
|
|
||||||
+ /*
|
|
||||||
+ * Fragment cache limits. We will commit 256K at one time. Should we
|
|
||||||
+ * cross that limit we will prune down to 192K. This should cope with
|
|
||||||
+ * even the most extreme cases without allowing an attacker to
|
|
||||||
+ * measurably harm machine performance.
|
|
||||||
*/
|
|
||||||
- net->ipv4.frags.high_thresh = 4 * 1024 * 1024;
|
|
||||||
- net->ipv4.frags.low_thresh = 3 * 1024 * 1024;
|
|
||||||
+ net->ipv4.frags.high_thresh = 256 * 1024;
|
|
||||||
+ net->ipv4.frags.low_thresh = 192 * 1024;
|
|
||||||
/*
|
|
||||||
* Important NOTE! Fragment queue must be destroyed before MSL expires.
|
|
||||||
* RFC791 is wrong proposing to prolongate timer each fragment arrival
|
|
|
@ -131,7 +131,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
|
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
|
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue