On Tue, 2019-02-05 at 19:41 +0100, Greg Kroah-Hartman wrote:
On Tue, Feb 05, 2019 at 06:26:23PM +0000, Ben Hutchings wrote:
This is a backport of upstream changes to fix the FragmentSmack (CVE-
2018-5391) vulnerability.
Peter Oskolkov checked an earlier version of this backport, but I have
since rebased and added another 3 commits to it. I tested with the
ip_defrag.sh self-test that he added upstream, and it passed. I have
included the fix that is currently queued for the 4.9, 4.14 and 4.19
branches.
That's a lot of patches, some of which I have already queued up in the
next 4.4 release which will happen in a day or so. Are they all still
needed after the changes there are merged?
Ah, yes, a lot of the changes are already in your queue and I'm not
certain that all of mine are needed. However I can say that the
changes currently in the queue are not correct:
* The ip_defrag.sh self-test fails: in the ipv4 non-overlap case, after
a few seconds, recv() returns an EAGAIN error. If I modify the script
to continue running the other cases, however, they pass.
* There is a reference leak which prevents the new network namespaces
being torn down ("unregister_netdevice: waiting for lo to become free.
Usage count = 61"). (I see similar warnings with my backport, but the
number gradually decreases and they stop after
* Shutdown hangs.
Ben.
--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom
On Tue, 2019-02-05 at 19:41 +0100, Greg Kroah-Hartman wrote:
> On Tue, Feb 05, 2019 at 06:26:23PM +0000, Ben Hutchings wrote:
> > This is a backport of upstream changes to fix the FragmentSmack (CVE-
> > 2018-5391) vulnerability.
> >
> > Peter Oskolkov checked an earlier version of this backport, but I have
> > since rebased and added another 3 commits to it. I tested with the
> > ip_defrag.sh self-test that he added upstream, and it passed. I have
> > included the fix that is currently queued for the 4.9, 4.14 and 4.19
> > branches.
>
> That's a lot of patches, some of which I have already queued up in the
> next 4.4 release which will happen in a day or so. Are they all still
> needed after the changes there are merged?
Ah, yes, a lot of the fragment-handling changes are already in your
queue and I'm not certain that all of mine are needed. However I don't
think the changes in your queue are complete and correct. When I run
the ip_defrag.sh self-test:
1. The ipv4 non-overlap case fails after a few seconds, with recv()
returning an EAGAIN error. If I modify the script to continue after an
error, the other cases do pass, however. This is not a regression from
4.4.172, but with my changes all cases pass.
2. There is a reference leak which prevents the new network namespaces
being cleaned up ("unregister_netdevice: waiting for lo to become free.
Usage count = 61"). With 4.4.172 or with my changes applied, the
warnings appear, but only for about a minute with the number gradually
decreasing. So this is a regression.
3. If I run the test again, it hangs. Shutting down the VM also hangs.
I think this is related to the previous issue. Again, this is a
regression.
Ben.
--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom
