Revert "net: increase fragment memory usage limits" (CVE-2018-5391)

3 files changed, 60 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 69875eb906b6..757bab8088d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ linux (4.17.14-2) UNRELEASED; urgency=medium
     (except on armel)
     - bluetooth: Re-enable BT_HCIUART_{BCM,LL} (Closes: #906048)
   * drivers/net/phy: Enable SFP as module (Closes: #906054)
+  * Revert "net: increase fragment memory usage limits" (CVE-2018-5391)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Tue, 14 Aug 2018 00:07:30 +0800
 
diff --git a/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch b/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
new file mode 100644
index 000000000000..eaa7d9f22ae0
--- /dev/null
+++ b/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
@@ -0,0 +1,58 @@
+From: Salvatore Bonaccorso <carnil@debian.org>
+Date: Sat, 28 Jul 2018 16:48:31 +0200
+Subject: [PATCH] Revert "net: increase fragment memory usage limits"
+
+This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4.
+
+Revert commit as mitigation to FragmentSmack (CVE-2018-5391)
+[bwh: Adjust context to apply to sid]
+---
+ include/net/ipv6.h     |  4 ++--
+ net/ipv4/ip_fragment.c | 22 +++++++---------------
+ 2 files changed, 9 insertions(+), 17 deletions(-)
+
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -379,8 +379,8 @@ static inline bool ipv6_accept_ra(struct
+ 	    idev->cnf.accept_ra;
+ }
+ 
+-#define IPV6_FRAG_HIGH_THRESH	(4 * 1024*1024)	/* 4194304 */
+-#define IPV6_FRAG_LOW_THRESH	(3 * 1024*1024)	/* 3145728 */
++#define IPV6_FRAG_HIGH_THRESH	(256 * 1024)	/* 262144 */
++#define IPV6_FRAG_LOW_THRESH	(192 * 1024)	/* 196608 */
+ #define IPV6_FRAG_TIMEOUT	(60 * HZ)	/* 60 seconds */
+ 
+ int __ipv6_addr_type(const struct in6_addr *addr);
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -788,22 +788,14 @@ static int __net_init ipv4_frags_init_ne
+ {
+ 	int res;
+ 
+-	/* Fragment cache limits.
+-	 *
+-	 * The fragment memory accounting code, (tries to) account for
+-	 * the real memory usage, by measuring both the size of frag
+-	 * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue))
+-	 * and the SKB's truesize.
+-	 *
+-	 * A 64K fragment consumes 129736 bytes (44*2944)+200
+-	 * (1500 truesize == 2944, sizeof(struct ipq) == 200)
+-	 *
+-	 * We will commit 4MB at one time. Should we cross that limit
+-	 * we will prune down to 3MB, making room for approx 8 big 64K
+-	 * fragments 8x128k.
++	/*
++	 * Fragment cache limits. We will commit 256K at one time. Should we
++	 * cross that limit we will prune down to 192K. This should cope with
++	 * even the most extreme cases without allowing an attacker to
++	 * measurably harm machine performance.
+ 	 */
+-	net->ipv4.frags.high_thresh = 4 * 1024 * 1024;
+-	net->ipv4.frags.low_thresh  = 3 * 1024 * 1024;
++	net->ipv4.frags.high_thresh = 256 * 1024;
++	net->ipv4.frags.low_thresh = 192 * 1024;
+ 	/*
+ 	 * Important NOTE! Fragment queue must be destroyed before MSL expires.
+ 	 * RFC791 is wrong proposing to prolongate timer each fragment arrival
diff --git a/debian/patches/series b/debian/patches/series
index 84382ce8c8ab..ad6f90eeaf45 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -138,6 +138,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
+bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch