Bug 1030015 (CVE-2013-4563)

Summary: CVE-2013-4563 kernel: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, anton, aquini, bhu, davej, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jkurik, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, matt, mcressma, npajkovs, pholasek, plougher, rt-maint, rvrbovsk, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-13 17:41:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1030016, 1030017    
Bug Blocks: 1030018    

Description Petr Matousek 2013-11-13 17:30:34 UTC 
Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
fragmentation for tunnel traffic.") changed the calculation if
there is enough space to include a fragment header in the skb from a
skb->mac_header dervived one to skb_headroom. Because we already peeled
off the skb to transport_header this is wrong.

This fixes a panic Saran Neti reported. He used the tbf scheduler which
skb_gso_segments the skb. The offsets get negative and we panic in memcpy
because the skb was erroneously not expanded at the head.

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1e2bd517c108816220f262d7954b697af03b5f9c

Introduced in:
v3.10-rc5

Upstream fix:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0e033e0

References:
http://marc.info/?l=linux-netdev&m=138305762205012&w=2

Acknowledgements:

Red Hat would like to thank Saran Neti of TELUS Security Labs for reporting this issue.
Comment 2 Petr Matousek 2013-11-13 17:33:51 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1030017]
Comment 3 Petr Matousek 2013-11-13 17:41:10 UTC 
Statement:

Not vulnerable.

This issue did not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG 2.
Comment 4 Fedora Update System 2013-11-24 03:49:06 UTC 
kernel-3.11.9-200.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-11-24 23:47:58 UTC 
kernel-3.11.9-300.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-11-29 06:55:53 UTC 
kernel-3.11.9-100.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.