Bug 726552 (CVE-2011-2723)

Summary: CVE-2011-2723 kernel: gro: only reset frag0 when skb can be pulled
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anton, bhu, dhoward, jkacur, kernel-mgr, lgoncalv, lwang, osoukup, plougher, rt-maint, sforsber, vdanen, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-10 08:15:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 679682, 726553, 726554, 726555, 726556, 734971, 748676, 761340    
Bug Blocks: 726551    

Description Eugene Teo (Security Response) 2011-07-29 01:26:39 UTC 
Currently skb_gro_header_slow unconditionally resets frag0 and frag0_len.  However, when we can't pull on the skb this leaves the GRO fields in an inconsistent state.

This patch fixes this by only resetting those fields after the pskb_may_pull test.

Upstream commit:
http://git.kernel.org/linus/17dd759c67f21e34f2156abcf415e1f60605a188

Acknowledgements:
Red Hat would like to thank Brent Meshier for reporting this issue.
Comment 4 Eugene Teo (Security Response) 2011-07-29 01:40:47 UTC 
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 as it did not backport the upstream commit a5b1cf28 that introduced this issue. This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-1386.html, https://rhn.redhat.com/errata/RHSA-2011-1350.html, and https://rhn.redhat.com/errata/RHSA-2012-0010.html.
Comment 8 Vincent Danen 2011-09-20 16:39:18 UTC 
External References:

http://git.kernel.org/linus/17dd759c67f21e34f2156abcf415e1f60605a188
Comment 9 errata-xmlrpc 2011-09-20 17:50:53 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6.Z - Server Only

Via RHSA-2011:1321 https://rhn.redhat.com/errata/RHSA-2011-1321.html
Comment 10 errata-xmlrpc 2011-10-05 21:47:35 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1350 https://rhn.redhat.com/errata/RHSA-2011-1350.html
Comment 11 errata-xmlrpc 2011-10-20 17:28:32 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1386 https://rhn.redhat.com/errata/RHSA-2011-1386.html
Comment 12 Eugene Teo (Security Response) 2011-10-25 03:51:03 UTC 
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 748676]
Comment 13 errata-xmlrpc 2011-10-26 15:32:40 UTC 
This issue has been addressed in following products:

  RHEV-H, V2V and Agents for RHEL-5

Via RHSA-2011:1408 https://rhn.redhat.com/errata/RHSA-2011-1408.html
Comment 15 errata-xmlrpc 2012-01-10 20:15:52 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0010 https://rhn.redhat.com/errata/RHSA-2012-0010.html