APPLIED[F,J,L]]: [SRU Focal,Jammy,OEM-6.1,Lunar 0/5] CVE-2023-42752

[Roxana Nicolescu]

On 27/09/2023 02:40, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> An unprivileged user may use a user/network namespace, setup a device with
> a very large MTU, trigger an IGMP packet transmission that will lead to a
> system crash. Local privilege escalation cannot be ruled out.
>
> [Test case]
> A PoC was tested and it worked on 6.1 and 6.2 kernels as they carry the
> kmalloc_reserve changes that make the PoC attack possible. After the fix,
> IGMP packets are still being transmitted, but the crash is not seen anymore.
>
> On 5.15 and 5.4 kernels, the test was still done, even though there is no crash
> without the fix. But after the fix, IGMP packets are still being transmitted.
>
> [Potential regression]
> On Focal and Jammy, IGMP may be broken. On OEM-6.1 and Lunar, other network
> workload may be broken as this touches SKB allocation.
>
> Eric Dumazet (5):
>    igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
>    net: add SKB_HEAD_ALIGN() helper
>    net: remove osize variable in __alloc_skb()
>    net: factorize code in kmalloc_reserve()
>    net: deal with integer overflows in kmalloc_reserve()
>
>   include/linux/skbuff.h |  8 +++++++
>   net/core/skbuff.c      | 49 ++++++++++++++++++------------------------
>   net/ipv4/igmp.c        |  3 ++-
>   3 files changed, 31 insertions(+), 29 deletions(-)
>
Applied to focal,jammy,lunar:master-next. Thanks!

Roxana