From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Yw43=QB=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_PASS,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0105FC282C5
	for <netdev@archiver.kernel.org>; Fri, 25 Jan 2019 02:43:46 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id C732E218D2
	for <netdev@archiver.kernel.org>; Fri, 25 Jan 2019 02:43:45 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728594AbfAYCnY (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Thu, 24 Jan 2019 21:43:24 -0500
Received: from szxga07-in.huawei.com ([45.249.212.35]:47382 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1728199AbfAYCnX (ORCPT <rfc822;netdev@vger.kernel.org>);
        Thu, 24 Jan 2019 21:43:23 -0500
Received: from DGGEMS410-HUB.china.huawei.com (unknown [172.30.72.59])
        by Forcepoint Email with ESMTP id B7D344C63E0C58762EF3;
        Fri, 25 Jan 2019 10:43:21 +0800 (CST)
Received: from localhost.localdomain.localdomain (10.175.113.25) by
 DGGEMS410-HUB.china.huawei.com (10.3.19.210) with Microsoft SMTP Server id
 14.3.408.0; Fri, 25 Jan 2019 10:43:12 +0800
From:   Mao Wenan <maowenan@huawei.com>
To:     <gregkh@linux-foundation.org>, <stable@vger.kernel.org>,
        <edumazet@google.com>, <netdev@vger.kernel.org>,
        <davem@davemloft.net>, <maowenan@huawei.com>,
        <eric.dumazet@gmail.com>
Subject: [PATCH stable 4.4 v2 00/11] fix FragmentSmack in stable branch (CVE-2018-5391)
Date:   Fri, 25 Jan 2019 10:48:33 +0800
Message-ID: <1548384524-174152-1-git-send-email-maowenan@huawei.com>
X-Mailer: git-send-email 1.8.3.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.175.113.25]
X-CFilter-Loop: Reflected
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

There is one CVE: CVE-2018-5391 kernel: IP fragments with random offsets allow a 
remote denial of service (FragmentSmack), 
A fix is a merge commit in the Linux kernel tree:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c30f1fc041b74ecdb072dd44f858750414b8b19f

consisting of the following commits:
7969e5c40dfd04799d4341f1b7cd266b6e47f227 ip: discard IPv4 datagrams with overlapping segments.
385114dec8a49b5e5945e77ba7de6356106713f4 net: modify skb_rbtree_purge to return the truesize of all purged skbs.
fa0f527358bd900ef92f925878ed6bfbd51305cc ip: use rb trees for IP frag queue.

All above patches are with rb tree to fix this CVE, which is very similar the CVE-2018-5390, that I have backport
to stable 4.4 branch in last year.

In these patchset, I will backport some patches to fix CVE-2018-5391 with rb tree.  

v1->v2: in this patch, ipv6: defrag: drop non-last frags smaller than min mtu
fix the incorrect return value of nf_ct_frag6_gather.

Dan Carpenter (1):
  ipv4: frags: precedence bug in ip_expire()

Eric Dumazet (2):
  net: speed up skb_rbtree_purge()
  inet: frags: get rif of inet_frag_evicting()

Florian Westphal (1):
  ipv6: defrag: drop non-last frags smaller than min mtu

Michal Kubecek (1):
  net: ipv4: do not handle duplicate fragments as overlapping

Peter Oskolkov (5):
  ip: discard IPv4 datagrams with overlapping segments.
  net: modify skb_rbtree_purge to return the truesize of all purged
    skbs.
  ip: use rb trees for IP frag queue.
  ip: add helpers to process in-order fragments faster.
  ip: process in-order fragments efficiently

Taehee Yoo (1):
  ip: frags: fix crash in ip_do_fragment()

 include/linux/skbuff.h                  |   4 +-
 include/net/inet_frag.h                 |  12 +-
 include/uapi/linux/snmp.h               |   1 +
 net/core/skbuff.c                       |  17 +-
 net/ipv4/inet_fragment.c                |  16 +-
 net/ipv4/ip_fragment.c                  | 410 +++++++++++++++++++-------------
 net/ipv4/proc.c                         |   1 +
 net/ipv6/netfilter/nf_conntrack_reasm.c |   6 +
 net/ipv6/reassembly.c                   |   9 +-
 9 files changed, 292 insertions(+), 184 deletions(-)

-- 
1.8.3.1