ACK: [CVE-2016-9755][PATCH Yakkety] netfilter: ipv6: nf_defrag: drop mangled skb on ream error

Wed Jun 21 08:08:09 UTC 2017

On 15.06.2017 09:29, Po-Hsu Lin wrote:
> From: Florian Westphal <fw at strlen.de>
> 
> CVE-2016-9755
> 
> Dmitry Vyukov reported GPF in network stack that Andrey traced down to
> negative nh offset in nf_ct_frag6_queue().
> 
> Problem is that all network headers before fragment header are pulled.
> Normal ipv6 reassembly will drop the skb when errors occur further down
> the line.
> 
> netfilter doesn't do this, and instead passed the original fragment
> along.  That was also fine back when netfilter ipv6 defrag worked with
> cloned fragments, as the original, pristine fragment was passed on.
> 
> So we either have to undo the pull op, or discard such fragments.
> Since they're malformed after all (e.g. overlapping fragment) it seems
> preferrable to just drop them.
> 
> Same for temporary errors -- it doesn't make sense to accept (and
> perhaps forward!) only some fragments of same datagram.
> 
> Fixes: 029f7f3b8701cc7ac ("netfilter: ipv6: nf_defrag: avoid/free clone operations")
> Reported-by: Dmitry Vyukov <dvyukov at google.com>
> Debugged-by: Andrey Konovalov <andreyknvl at google.com>
> Diagnosed-by: Eric Dumazet <Eric Dumazet <edumazet at google.com>
> Signed-off-by: Florian Westphal <fw at strlen.de>
> Acked-by: Eric Dumazet <edumazet at google.com>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> (cherry picked from commit 9b57da0630c9fd36ed7a20fc0f98dc82cc0777fa)
> 
> Signed-off-by: Po-Hsu Lin <po-hsu.lin at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>

> ---
>  net/ipv6/netfilter/nf_conntrack_reasm.c   |    4 ++--
>  net/ipv6/netfilter/nf_defrag_ipv6_hooks.c |    2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
> index e4347ae..9948b5c 100644
> --- a/net/ipv6/netfilter/nf_conntrack_reasm.c
> +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
> @@ -576,11 +576,11 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user)
>  	/* Jumbo payload inhibits frag. header */
>  	if (ipv6_hdr(skb)->payload_len == 0) {
>  		pr_debug("payload len = 0\n");
> -		return -EINVAL;
> +		return 0;
>  	}
>  
>  	if (find_prev_fhdr(skb, &prevhdr, &nhoff, &fhoff) < 0)
> -		return -EINVAL;
> +		return 0;
>  
>  	if (!pskb_may_pull(skb, fhoff + sizeof(*fhdr)))
>  		return -ENOMEM;
> diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
> index f7aab5a..f06b047 100644
> --- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
> +++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
> @@ -69,7 +69,7 @@ static unsigned int ipv6_defrag(void *priv,
>  	if (err == -EINPROGRESS)
>  		return NF_STOLEN;
>  
> -	return NF_ACCEPT;
> +	return err == 0 ? NF_ACCEPT : NF_DROP;
>  }
>  
>  static struct nf_hook_ops ipv6_defrag_ops[] = {
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20170621/6347a47a/attachment.sig>