ipv6: fix neighbour resolution with raw socket

Bug #1834465 reported by Nicolas Dichtel
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Kamal Mostafa
Bionic
Fix Released
Medium
Unassigned
Disco
Fix Released
Medium
Kamal Mostafa

Bug Description

[SRU Justification]

== Impact ==

IPv6 packets may be dropped during the neighbor resolution when a
userspace program uses IPv6 raw sockets. The commit that introduces
this bug has not been identified, but it's here at least from Xenial (4.4).
This was fixed in the requested backport (from 5.2).

== Fix ==

Backport the requested patches to Disco (5.0), Bionic (4.15) and
Xenial (4.4).

== Risk of Regregression ==

The change slightly modifies the target IPv6 address in neighbor
resolution engine. Risk should be low and limited to ipv6.

---

With an IPv6 raw socket, packets may be dropped during the neighbour resolution. It is fixed upstream by these patches:

9b1c1ef13b35 ipv6: constify rt6_nexthop()
2c6b55f45d53 ipv6: fix neighbour resolution with raw socket

https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=9b1c1ef13b35fa35051b635ca9fbda39fe6bbc70
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=2c6b55f45d53420d8310d41310e0e2cd41fe073f

The detail of the bug is explained in the second patch.

CVE References

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1834465

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Disco):
status: New → In Progress
assignee: nobody → Kamal Mostafa (kamalmostafa)
Changed in linux (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → Kamal Mostafa (kamalmostafa)
description: updated
Stefan Bader (smb)
Changed in linux (Ubuntu Disco):
importance: Undecided → Medium
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-disco
Revision history for this message
Nicolas Dichtel (nicolas-dichtel) wrote :

Tests are ok for us.

tags: added: verification-done-disco
removed: verification-needed-disco
Stefan Bader (smb)
Changed in linux (Ubuntu Bionic):
importance: Undecided → Medium
Changed in linux (Ubuntu Bionic):
status: New → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Nicolas Dichtel (nicolas-dichtel) wrote :

Tests are ok here.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (126.4 KiB)

This bug was fixed in the package linux - 5.0.0-31.33

---------------
linux (5.0.0-31.33) disco; urgency=medium

  * disco/linux: 5.0.0-31.33 -proposed tracker (LP: #1846026)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * /proc/self/maps paths missing on live session (was vlc won't start; eoan
    19.10 & bionic 18.04 ubuntu/lubuntu/kubuntu/xubuntu/ubuntu-mate dailies)
    (LP: #1842382)
    - SAUCE: Revert "UBUNTU: SAUCE: shiftfs: enable overlayfs on shiftfs"

linux (5.0.0-30.32) disco; urgency=medium

  * disco/linux: 5.0.0-30.32 -proposed tracker (LP: #1844362)

  * Disco update: upstream stable patchset 2019-08-20 (LP: #1840846)
    - Revert "e1000e: fix cyclic resets at link up with active tx"
    - e1000e: start network tx queue only when link is up
    - Input: synaptics - enable SMBUS on T480 thinkpad trackpad
    - nilfs2: do not use unexported cpu_to_le32()/le32_to_cpu() in uapi header
    - drivers: base: cacheinfo: Ensure cpu hotplug work is done before Intel RDT
    - firmware: improve LSM/IMA security behaviour
    - irqchip/gic-v3-its: Fix command queue pointer comparison bug
    - clk: ti: clkctrl: Fix returning uninitialized data
    - efi/bgrt: Drop BGRT status field reserved bits check
    - perf/core: Fix perf_sample_regs_user() mm check
    - ARM: dts: gemini Fix up DNS-313 compatible string
    - ARM: omap2: remove incorrect __init annotation
    - afs: Fix uninitialised spinlock afs_volume::cb_break_lock
    - x86/apic: Fix integer overflow on 10 bit left shift of cpu_khz
    - be2net: fix link failure after ethtool offline test
    - ppp: mppe: Add softdep to arc4
    - sis900: fix TX completion
    - ARM: dts: imx6ul: fix PWM[1-4] interrupts
    - pinctrl: mcp23s08: Fix add_data and irqchip_add_nested call order
    - dm table: don't copy from a NULL pointer in realloc_argv()
    - dm verity: use message limit for data block corruption message
    - x86/boot/64: Fix crash if kernel image crosses page table boundary
    - x86/boot/64: Add missing fixup_pointer() for next_early_pgt access
    - HID: chicony: add another quirk for PixArt mouse
    - pinctrl: mediatek: Ignore interrupts that are wake only during resume
    - cpu/hotplug: Fix out-of-bounds read when setting fail state
    - pinctrl: mediatek: Update cur_mask in mask/mask ops
    - linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL
    - genirq: Delay deactivation in free_irq()
    - genirq: Fix misleading synchronize_irq() documentation
    - genirq: Add optional hardware synchronization for shutdown
    - x86/ioapic: Implement irq_get_irqchip_state() callback
    - x86/irq: Handle spurious interrupt after shutdown gracefully
    - x86/irq: Seperate unused system vectors from spurious entry again
    - ARC: hide unused function unw_hdr_alloc
    - s390: fix stfle zero padding
    - s390/qdio: (re-)initialize tiqdio list entries
    - s390/qdio: don't touch the dsci in tiqdio_add_input_queues()
    - crypto: talitos - move struct talitos_edesc into talitos.h
    - crypto: talitos - fix hash on SEC1.
    - crypto/NX: Set receive window credits to max number of CRBs in RxFIFO
    - drm/udl: introduce a macro to convert dev t...

Changed in linux (Ubuntu Disco):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (23.3 KiB)

This bug was fixed in the package linux - 4.15.0-66.75

---------------
linux (4.15.0-66.75) bionic; urgency=medium

  * bionic/linux: 4.15.0-66.75 -proposed tracker (LP: #1846131)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * CVE-2018-21008
    - rsi: add fix for crash during assertions

  * ipv6: fix neighbour resolution with raw socket (LP: #1834465)
    - ipv6: constify rt6_nexthop()
    - ipv6: fix neighbour resolution with raw socket

  * run_netsocktests from net in ubuntu_kernel_selftests failed with X-4.15
    (LP: #1842023)
    - SAUCE: selftests: net: replace AF_MAX with INT_MAX in socket.c

  * No sound inputs from the external microphone and headset on a Dell machine
    (LP: #1842265)
    - ALSA: hda - Expand pin_match function to match upcoming new tbls
    - ALSA: hda - Define a fallback_pin_fixup_tbl for alc269 family

  * Add -fcf-protection=none when using retpoline flags (LP: #1843291)
    - SAUCE: kbuild: add -fcf-protection=none when using retpoline flags

  * Enhanced Hardware Support - Finalize Naming (LP: #1842774)
    - s390: add support for IBM z15 machines

  * Bionic update: upstream stable patchset 2019-09-24 (LP: #1845266)
    - bridge/mdb: remove wrong use of NLM_F_MULTI
    - cdc_ether: fix rndis support for Mediatek based smartphones
    - ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'
    - isdn/capi: check message length in capi_write()
    - net: Fix null de-reference of device refcount
    - net: gso: Fix skb_segment splat when splitting gso_size mangled skb having
      linear-headed frag_list
    - net: phylink: Fix flow control resolution
    - sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
    - sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()'
    - sctp: use transport pf_retrans in sctp_do_8_2_transport_strike
    - tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR
    - tipc: add NULL pointer check before calling kfree_rcu
    - tun: fix use-after-free when register netdev failed
    - btrfs: compression: add helper for type to string conversion
    - btrfs: correctly validate compression type
    - Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur"
    - gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist
    - gpio: fix line flag validation in linehandle_create
    - gpio: fix line flag validation in lineevent_create
    - Btrfs: fix assertion failure during fsync and use of stale transaction
    - genirq: Prevent NULL pointer dereference in resend_irqs()
    - KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl
    - KVM: x86: work around leak of uninitialized stack contents
    - KVM: nVMX: handle page fault in vmread
    - MIPS: VDSO: Prevent use of smp_processor_id()
    - MIPS: VDSO: Use same -m%-float cflag as the kernel proper
    - powerpc: Add barrier_nospec to raw_copy_in_user()
    - drm/meson: Add support for XBGR8888 & ABGR8888 formats
    - clk: rockchip: Don't yell about bad mmc phases when getting
    - mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue
    - PCI: Always allow probing with driver_override
    - ubifs: Cor...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.