Description: FragmentSmack (IP fragments) References: https://www.kb.cert.org/vuls/id/641765 Notes: carnil> Should affect 3.9 and later and mitigation/good enough fix is carnil> to revert c2a936600f78aea00d3312ea4b66a79a4619f9b4. Or change carnil> the default values of net.ipv4.ipfrag_high_thresh and carnil> net.ipv4.ipfrag_low_thresh back to 256kB and 192 kB (respectively) carnil> or below. carnil> "Proper" patches in the works. carnil> SuSE identifies upstream commits which seem to properly address carnil> the issue, but needs more checking: carnil> https://bugzilla.novell.com/show_bug.cgi?id=1103097 carnil> Candidates for backports: carnil> https://bugzilla.novell.com/show_bug.cgi?id=1103097#c15 carnil> 56e2c94f05 inet: frag: enforce memory limits earlier carnil> 4672694bd4 ipv4: frags: handle possible skb truesize change carnil> and carnil> 0ed4229b08c1 ipv6: defrag: drop non-last frags smaller than min mtu carnil> 7969e5c40dfd ip: discard IPv4 datagrams with overlapping segments. carnil> 385114dec8a4 net: modify skb_rbtree_purge to return the truesize of all carnil> purged skbs. carnil> fa0f527358bd ip: use rb trees for IP frag queue. canril> It needs to be checked that the upstream fixes will for 4.9-upstream- canril> stable and 3.16-upstream-stable do not cause CVE-2018-14641. In canril> the proposed patch series from Florian Fainelli , carnil> ("[PATCH stable 4.9 v2 00/29] backport of IP fragmentation fixes") contain carnil> the needed fix. carnil> The commits backported to 4.9.134 are complete and are not introducing carnil> thus CVE-2018-14641. Bugs: upstream: released (4.19-rc1) [7969e5c40dfd04799d4341f1b7cd266b6e47f227, 385114dec8a49b5e5945e77ba7de6356106713f4, fa0f527358bd900ef92f925878ed6bfbd51305cc] 4.19-upstream-stable: N/A "Fixed before branch point" 4.9-upstream-stable: released (4.9.134) [7fca77153c5c2a2c59e70720332bce7088aef8e8, 2ffb1c363dfa89858dded0b291f005faf1b72adc, bbf6d8604475f36279c7b2d9a1f425654bc24588, dae73e7d73fce8d8d5132ec3c94de16280653fc6, 1b363f81f38f28bd69ec90837da0f65161f36325, 620018dd713da51daac7ec4cd0ae54b0f0fa0f75, fb19348bd709e3f948825ed995bdc477a0414772, 23ce9c5ce704b985dad79bce944a348f0c205869, ea7496f018adcfbac5396ead5756dcabb9866749, 49106f36c253a3c4ce7cf297415826af0c4339ea, 965e2adc5850836586e0961c350b94c2092da319, 7f6170683223cb38cabaff21ecbb9a6375ad10f6, 7a87ec92d36a660820d426d8c54794c44077277f, cbc45497b39c4626adaeca2a409588f19ae19e34, 6060bcdcffaba68c3ff158a88faab6df27210ffc, 5b68fda0a455be7f48fdf97407de1aa09d046fdd, 316986fe4dcac011b4f85d9bbef1edf4953c0219, d838486621c38f084b867743a0abd0968c6cb196, 82f36cbc74595f06900f478d4eaf7217a4f06e13, f5d17b55f4be318adf3b642b50bd25e5245ecc17, 871695951ec6f6b0b1a258c9bb5336bfeffab409, a8444b1ccb20339774af58e40ad42296074fb484, 791521e2e377f66ef5ee6e5002dec758234d8d32, b475cf3bf1e8212b0287c6d15249e2c942693ae5, 10043954eadac2d8f8c1886190f7a7ee584ff939, e9e4ac488c017739b2832177550ba2569fffc709, 4077ddb2cb48ca4592d738ea37cd58c5d41754bd, 85e59af99a7f7c9bcd089f2404b405df7ee665ba, 5a0f340f5ad6a6cc6518f212802f95b669e8fe27] 3.16-upstream-stable: ignored "Too risky to apply upstream fix, and it can be mitigated with sysctl changes" sid: released (4.17.15-1) [bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch] 4.9-stretch-security: released (4.9.110-3+deb9u2) [bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch] 3.16-jessie-security: released (3.16.59-1) [bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch]