diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2018-08-14 22:23:59 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2018-08-14 22:23:59 +0100 |
| commit | e090a7f60dd56451c041702b884607c86f1aba2f (patch) | |
| tree | 05de96ca905341abd8c19b4538b66be5894ba2f3 /debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch | |
| parent | b6e442c215ef794c8b29078d66ea44a67a7b219c (diff) | |
| download | kernel_replicant_linux-e090a7f60dd56451c041702b884607c86f1aba2f.tar.gz kernel_replicant_linux-e090a7f60dd56451c041702b884607c86f1aba2f.tar.bz2 kernel_replicant_linux-e090a7f60dd56451c041702b884607c86f1aba2f.zip | |
Revert "net: increase fragment memory usage limits" (CVE-2018-5391)
Diffstat (limited to 'debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch')
| -rw-r--r-- | debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch b/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch new file mode 100644 index 000000000000..eaa7d9f22ae0 --- /dev/null +++ b/debian/patches/bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch @@ -0,0 +1,58 @@ +From: Salvatore Bonaccorso <carnil@debian.org> +Date: Sat, 28 Jul 2018 16:48:31 +0200 +Subject: [PATCH] Revert "net: increase fragment memory usage limits" + +This reverts commit c2a936600f78aea00d3312ea4b66a79a4619f9b4. + +Revert commit as mitigation to FragmentSmack (CVE-2018-5391) +[bwh: Adjust context to apply to sid] +--- + include/net/ipv6.h | 4 ++-- + net/ipv4/ip_fragment.c | 22 +++++++--------------- + 2 files changed, 9 insertions(+), 17 deletions(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -379,8 +379,8 @@ static inline bool ipv6_accept_ra(struct + idev->cnf.accept_ra; + } + +-#define IPV6_FRAG_HIGH_THRESH (4 * 1024*1024) /* 4194304 */ +-#define IPV6_FRAG_LOW_THRESH (3 * 1024*1024) /* 3145728 */ ++#define IPV6_FRAG_HIGH_THRESH (256 * 1024) /* 262144 */ ++#define IPV6_FRAG_LOW_THRESH (192 * 1024) /* 196608 */ + #define IPV6_FRAG_TIMEOUT (60 * HZ) /* 60 seconds */ + + int __ipv6_addr_type(const struct in6_addr *addr); +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -788,22 +788,14 @@ static int __net_init ipv4_frags_init_ne + { + int res; + +- /* Fragment cache limits. +- * +- * The fragment memory accounting code, (tries to) account for +- * the real memory usage, by measuring both the size of frag +- * queue struct (inet_frag_queue (ipv4:ipq/ipv6:frag_queue)) +- * and the SKB's truesize. +- * +- * A 64K fragment consumes 129736 bytes (44*2944)+200 +- * (1500 truesize == 2944, sizeof(struct ipq) == 200) +- * +- * We will commit 4MB at one time. Should we cross that limit +- * we will prune down to 3MB, making room for approx 8 big 64K +- * fragments 8x128k. ++ /* ++ * Fragment cache limits. We will commit 256K at one time. Should we ++ * cross that limit we will prune down to 192K. This should cope with ++ * even the most extreme cases without allowing an attacker to ++ * measurably harm machine performance. + */ +- net->ipv4.frags.high_thresh = 4 * 1024 * 1024; +- net->ipv4.frags.low_thresh = 3 * 1024 * 1024; ++ net->ipv4.frags.high_thresh = 256 * 1024; ++ net->ipv4.frags.low_thresh = 192 * 1024; + /* + * Important NOTE! Fragment queue must be destroyed before MSL expires. + * RFC791 is wrong proposing to prolongate timer each fragment arrival |