First Last Prev Next    This bug is not in your last search results.
Bug 1103097 - (CVE-2018-5391) VUL-0: CVE-2018-5391: kernel-source: FragmentSmack (IP fragments) (CVE-2018-5391)
(CVE-2018-5391)
VUL-0: CVE-2018-5391: kernel-source: FragmentSmack (IP fragments) (CVE-2018-5...
Status: RESOLVED FIXED
: 1107220 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:SUSE:CVE-2018-5391:7.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-30 12:55 UTC by Marcus Meissner
Modified: 2022-04-12 12:25 UTC (History)
21 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Michal Kubeček 2018-07-31 07:11:16 UTC 
This may be related:

  http://patchwork.ozlabs.org/patch/951357/
Comment 2 Michal Kubeček 2018-08-01 09:05:01 UTC 
The patch mentioned in comment 1 is now in net tree, together with another that
I overlooked yesterday:

  56e2c94f055d  inet: frag: enforce memory limits earlier
  4672694bd4f1  ipv4: frags: handle possible skb truesize change

The former is marked as fix for commit b13d3cbfb8e8 (from 3.17-rc1), the latter
as fix for commit 158f323b9868 (from 4.11-rc1), we don't have any of those in
any branch using kernel < 4.12.
Comment 4 Jiri Bohac 2018-08-02 19:03:43 UTC 
(In reply to Michal Kubeček from comment #2)
>   56e2c94f055d  inet: frag: enforce memory limits earlier
>   4672694bd4f1  ipv4: frags: handle possible skb truesize change
> 
> The former is marked as fix for commit b13d3cbfb8e8 (from 3.17-rc1), the
> latter
> as fix for commit 158f323b9868 (from 4.11-rc1), we don't have any of those in
> any branch using kernel < 4.12.

b13d3cbfb8e8 is in the 4.4 based kernels (SLE12-SP2-LTSS, SLE12-SP3-TD)

But I fail to understand why this should not affect kernels prior to b13d3cbfb8e8. As the commit log of 56e2c94f055d says, "work queue could be starved under DOS, getting no cpu cycles."
Prior to b13d3cbfb8e8, the situation seems even worse to me, because
inet_frag_evictor is called directly from inet_frag_find. Wouldn't that cause even more problem than just rescheduling the workqueue.

I think the check for the high threshold should be backported to all old kernels.
Comment 5 Marcus Meissner 2018-08-03 05:26:35 UTC 
different CRD then SegmentSmack:

CRD: 2018-08-14
Comment 8 Michal Kubeček 2018-08-03 06:34:52 UTC 
We will most likely want also https://patchwork.ozlabs.org/patch/953002/

I'll have to take closer look at the rest of the series

  https://patchwork.ozlabs.org/project/netdev/list/?series=59090

to see if is feasible w.r.t. kABI.

There are also

  https://patchwork.ozlabs.org/patch/953006/
  https://patchwork.ozlabs.org/patch/953009/

(the IPv4 part is probably too aggressive to enable it unconditionally)
Comment 9 Michal Kubeček 2018-08-06 06:27:35 UTC 
Commit ids for the patches from comment 8:

  0ed4229b08c1  ipv6: defrag: drop non-last frags smaller than min mtu
  7969e5c40dfd  ip: discard IPv4 datagrams with overlapping segments.
  385114dec8a4  net: modify skb_rbtree_purge to return the truesize of all
                purged skbs.
  fa0f527358bd  ip: use rb trees for IP frag queue.

These are only in net-next right now.
Comment 11 Michal Kubeček 2018-08-06 19:31:38 UTC 
...and one follow-up fix just arrived:

  https://patchwork.ozlabs.org/patch/954180/
Comment 12 Michal Kubeček 2018-08-06 22:12:31 UTC 
(In reply to Michal Kubeček from comment #11)
> ...and one follow-up fix just arrived:
> 
>   https://patchwork.ozlabs.org/patch/954180/

In net-next now as

  70837ffe3085  ipv4: frags: precedence bug in ip_expire()
Comment 15 Jiri Bohac 2018-08-09 10:21:22 UTC 
I believe the most important fix is
  56e2c94f055d  inet: frag: enforce memory limits earlier

To answer my own question from Comment #4, why this is marked as
   Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
and why it does not apply to older kernels:

	b13d3cbfb8e8 keeps inet_frag_alloc() checking against the high_thresh
	limit and modifies inet_frag_find() to check against the low_thresh limit.
	Instead of directly evicting fragment queues when the limit is reached,
	the LRU evictor is scheduled on a work queue and the fragment is accepted
	and queued.

	This allows the attacker to first allocate a large number of fragment
	queues by SENDING The first tiny fragments for a lot of packets, up until
	the high_thresh limit.

	Then the attacker can continue sending many tiny fragments to these
	allocated work queues, easily surpassing the high_thresh limit by orders
	of magnitude. The evictor called from a work queue will not keep up with
	the rate of incoming fragments.

I talked to Marcus yesterday and he says we have not received any further
information what commits are necessarry to backport. Looking at the stable
trees, only these two have been backported:

	56e2c94f05 (inet: frag: enforce memory limits earlier) - 
	4.17.13, 4.14.61, 4.9.118, 4.4.146, queued for 3.18

	4672694bd4 (ipv4: frags: handle possible skb truesize change) -
	4.17.13, 4.14.61, 4.9.118

Of the remaining patches, these two are easy to backport:
	7969e5c40d (ip: discard IPv4 datagrams with overlapping segments)
	0ed4229b08 (ipv6: defrag: drop non-last frags smaller than min mtu)

So I decided to backport:
        56e2c94f05 (inet: frag: enforce memory limits earlier)
        7969e5c40d (ip: discard IPv4 datagrams with overlapping segments)
        0ed4229b08 (ipv6: defrag: drop non-last frags smaller than min mtu)
to the 4.4 kernels, and cherrypicked these patches from Michal's SLE15
branch:
        56e2c94f05 (inet: frag: enforce memory limits earlier)
	4672694bd4 (ipv4: frags: handle possible skb truesize change) 
        7969e5c40d (ip: discard IPv4 datagrams with overlapping segments)
        0ed4229b08 (ipv6: defrag: drop non-last frags smaller than min mtu)
	
I left out the rbtree/rhashtbles patches.

Note:
	7969e5c40d completely removes the code modified by 4672694bd4, so
	I did not include this in the 4.4 backport. 
	
	7969e5c40d adds a new snmp statistics counter -
	IPSTATS_MIB_REASM_OVERLAPS, which not only breaks KABI but also
	modifies /proc/net/snmp; 
	I added patches.kabi/ip-drop-IPSTATS_MIB_REASM_OVERLAPS.patch
	which removes IPSTATS_MIB_REASM_OVERLAPS and accounts the newly
	dropped fragments to the IPSTATS_MIB_REASMFAILS counter instead.

Please pull:
	users/jbohac/cve/linux-4.4/1103097 -> cve/linux-4.4_EMBARGO
	users/jbohac/SLE15/1103097 -> SLE15_EMBARGO
Comment 28 Swamp Workflow Management 2018-08-14 19:13:36 UTC 
This is an autogenerated message for OBS integration:
This bug (1103097) was mentioned in
https://build.opensuse.org/request/show/629278 15.0 / kernel-source
https://build.opensuse.org/request/show/629279 42.3 / kernel-source
Comment 29 Swamp Workflow Management 2018-08-16 10:18:56 UTC 
SUSE-SU-2018:2344-1: An update that solves 11 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1064232,1076110,1083635,1085042,1086652,1087081,1089343,1090123,1091171,1094248,1096130,1096480,1096978,1097140,1097551,1098016,1098425,1098435,1099924,1100089,1100416,1100418,1100491,1101557,1102340,1102851,1103097,1103119,1103580
CVE References: CVE-2017-18344,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390,CVE-2018-5391,CVE-2018-5814,CVE-2018-9385
Sources used:
SUSE OpenStack Cloud 7 (src):    kernel-default-4.4.121-92.92.1, kernel-source-4.4.121-92.92.1, kernel-syms-4.4.121-92.92.1, kgraft-patch-SLE12-SP2_Update_24-1-3.7.1, lttng-modules-2.7.1-9.4.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    kernel-default-4.4.121-92.92.1, kernel-source-4.4.121-92.92.1, kernel-syms-4.4.121-92.92.1, kgraft-patch-SLE12-SP2_Update_24-1-3.7.1, lttng-modules-2.7.1-9.4.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    kernel-default-4.4.121-92.92.1, kernel-source-4.4.121-92.92.1, kernel-syms-4.4.121-92.92.1, kgraft-patch-SLE12-SP2_Update_24-1-3.7.1, lttng-modules-2.7.1-9.4.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.121-92.92.1
SUSE Enterprise Storage 4 (src):    kernel-default-4.4.121-92.92.1, kernel-source-4.4.121-92.92.1, kernel-syms-4.4.121-92.92.1, kgraft-patch-SLE12-SP2_Update_24-1-3.7.1, lttng-modules-2.7.1-9.4.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.121-92.92.1
Comment 30 Swamp Workflow Management 2018-08-16 13:20:26 UTC 
SUSE-SU-2018:2374-1: An update that solves 6 vulnerabilities and has 63 fixes is now available.

Category: security (important)
Bug References: 1012382,1023711,1064232,1076110,1078216,1082653,1082979,1085042,1085536,1085657,1087081,1087659,1089343,1089525,1090123,1090340,1090435,1090888,1091107,1092001,1092207,1093777,1094120,1094244,1095453,1095643,1096790,1096978,1097034,1097501,1097771,1098599,1099306,1099713,1099792,1099810,1099858,1099918,1099966,1099993,1100089,1100132,1100340,1100843,1100930,1101296,1101331,1101658,1101789,1102188,1102197,1102203,1102205,1102207,1102211,1102214,1102215,1102340,1102394,1102683,1102851,1103097,1103119,1103580,1103717,1103745,1103884,1104174,997935
CVE References: CVE-2017-18344,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390,CVE-2018-5391
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    kernel-docs-azure-4.4.143-4.13.1
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-azure-4.4.143-4.13.1, kernel-source-azure-4.4.143-4.13.1
Comment 32 Swamp Workflow Management 2018-08-16 16:18:05 UTC 
SUSE-SU-2018:2380-1: An update that solves 11 vulnerabilities and has 61 fixes is now available.

Category: security (important)
Bug References: 1051510,1051979,1066110,1077761,1086274,1086314,1087081,1089343,1099811,1099813,1099844,1099845,1099846,1099849,1099858,1099863,1099864,1100132,1101116,1101331,1101669,1101828,1101832,1101833,1101837,1101839,1101841,1101843,1101844,1101845,1101847,1101852,1101853,1101867,1101872,1101874,1101875,1101882,1101883,1101885,1101887,1101890,1101891,1101893,1101895,1101896,1101900,1101902,1101903,1102633,1102658,1103097,1103356,1103421,1103517,1103723,1103724,1103725,1103726,1103727,1103728,1103729,1103730,1103917,1103920,1103948,1103949,1104066,1104111,1104174,1104211,1104319
CVE References: CVE-2018-10876,CVE-2018-10877,CVE-2018-10878,CVE-2018-10879,CVE-2018-10880,CVE-2018-10881,CVE-2018-10882,CVE-2018-10883,CVE-2018-3620,CVE-2018-3646,CVE-2018-5391
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    kernel-default-4.12.14-25.13.1
SUSE Linux Enterprise Module for Legacy Software 15 (src):    kernel-default-4.12.14-25.13.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    kernel-docs-4.12.14-25.13.1, kernel-obs-build-4.12.14-25.13.1, kernel-source-4.12.14-25.13.1, kernel-syms-4.12.14-25.13.1, kernel-vanilla-4.12.14-25.13.1, lttng-modules-2.10.0-5.4.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    kernel-default-4.12.14-25.13.1, kernel-source-4.12.14-25.13.1, kernel-zfcpdump-4.12.14-25.13.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-25.13.1
Comment 33 Swamp Workflow Management 2018-08-16 16:28:54 UTC 
SUSE-SU-2018:2381-1: An update that solves 11 vulnerabilities and has 61 fixes is now available.

Category: security (important)
Bug References: 1051510,1051979,1066110,1077761,1086274,1086314,1087081,1089343,1099811,1099813,1099844,1099845,1099846,1099849,1099858,1099863,1099864,1100132,1101116,1101331,1101669,1101828,1101832,1101833,1101837,1101839,1101841,1101843,1101844,1101845,1101847,1101852,1101853,1101867,1101872,1101874,1101875,1101882,1101883,1101885,1101887,1101890,1101891,1101893,1101895,1101896,1101900,1101902,1101903,1102633,1102658,1103097,1103356,1103421,1103517,1103723,1103724,1103725,1103726,1103727,1103728,1103729,1103730,1103917,1103920,1103948,1103949,1104066,1104111,1104174,1104211,1104319
CVE References: CVE-2018-10876,CVE-2018-10877,CVE-2018-10878,CVE-2018-10879,CVE-2018-10880,CVE-2018-10881,CVE-2018-10882,CVE-2018-10883,CVE-2018-3620,CVE-2018-3646,CVE-2018-5391
Sources used:
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-25.13.1
Comment 34 Swamp Workflow Management 2018-08-17 10:28:41 UTC 
openSUSE-SU-2018:2404-1: An update that solves 14 vulnerabilities and has 41 fixes is now available.

Category: security (important)
Bug References: 1012382,1082653,1082979,1085042,1085536,1086457,1087081,1089343,1090123,1090435,1092001,1094244,1095643,1096978,1097771,1099811,1099813,1099844,1099845,1099846,1099849,1099858,1099863,1099864,1100132,1100930,1101331,1101658,1101789,1101841,1102188,1102197,1102203,1102205,1102207,1102211,1102214,1102215,1102340,1102394,1102683,1102851,1103097,1103119,1103269,1103445,1103580,1103717,1103745,1103884,1104174,1104319,1104365,1104494,1104495
CVE References: CVE-2017-18344,CVE-2018-10876,CVE-2018-10877,CVE-2018-10878,CVE-2018-10879,CVE-2018-10880,CVE-2018-10881,CVE-2018-10882,CVE-2018-10883,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390,CVE-2018-5391
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.143-65.1, kernel-default-4.4.143-65.1, kernel-docs-4.4.143-65.1, kernel-obs-build-4.4.143-65.1, kernel-obs-qa-4.4.143-65.1, kernel-source-4.4.143-65.1, kernel-syms-4.4.143-65.1, kernel-vanilla-4.4.143-65.1
Comment 35 Swamp Workflow Management 2018-08-17 10:43:08 UTC 
openSUSE-SU-2018:2407-1: An update that solves 12 vulnerabilities and has 60 fixes is now available.

Category: security (important)
Bug References: 1065600,1081917,1083647,1086288,1086314,1086315,1086317,1086327,1086331,1086906,1087081,1087092,1089343,1090888,1097104,1097577,1097808,1099811,1099813,1099844,1099845,1099846,1099849,1099863,1099864,1100132,1101116,1101828,1101832,1101833,1101837,1101839,1101841,1101843,1101844,1101845,1101847,1101852,1101853,1101867,1101872,1101874,1101875,1101882,1101883,1101885,1101887,1101890,1101891,1101893,1101895,1101896,1101900,1101902,1101903,1102340,1103097,1103269,1103277,1103363,1103445,1103886,1104066,1104211,1104319,1104353,1104365,1104427,1104494,1104495,1104708,1104777
CVE References: CVE-2018-10853,CVE-2018-10876,CVE-2018-10877,CVE-2018-10878,CVE-2018-10879,CVE-2018-10880,CVE-2018-10881,CVE-2018-10882,CVE-2018-10883,CVE-2018-3620,CVE-2018-3646,CVE-2018-5391
Sources used:
openSUSE Leap 15.0 (src):    kernel-debug-4.12.14-lp150.12.16.1, kernel-default-4.12.14-lp150.12.16.1, kernel-docs-4.12.14-lp150.12.16.1, kernel-kvmsmall-4.12.14-lp150.12.16.1, kernel-obs-build-4.12.14-lp150.12.16.1, kernel-obs-qa-4.12.14-lp150.12.16.1, kernel-source-4.12.14-lp150.12.16.1, kernel-syms-4.12.14-lp150.12.16.1, kernel-vanilla-4.12.14-lp150.12.16.1
Comment 36 Swamp Workflow Management 2018-08-20 13:20:35 UTC 
SUSE-SU-2018:2450-1: An update that solves 12 vulnerabilities and has 88 fixes is now available.

Category: security (important)
Bug References: 1051510,1051979,1065600,1066110,1077761,1081917,1083647,1086274,1086288,1086314,1086315,1086317,1086327,1086331,1086906,1087081,1087092,1089343,1090888,1097104,1097577,1097808,1099811,1099813,1099844,1099845,1099846,1099849,1099858,1099863,1099864,1100132,1101116,1101331,1101669,1101822,1101828,1101832,1101833,1101837,1101839,1101841,1101843,1101844,1101845,1101847,1101852,1101853,1101867,1101872,1101874,1101875,1101882,1101883,1101885,1101887,1101890,1101891,1101893,1101895,1101896,1101900,1101902,1101903,1102633,1102658,1103097,1103269,1103277,1103356,1103363,1103421,1103445,1103517,1103723,1103724,1103725,1103726,1103727,1103728,1103729,1103730,1103886,1103917,1103920,1103948,1103949,1104066,1104111,1104174,1104211,1104319,1104353,1104365,1104427,1104494,1104495,1104708,1104777,1104897
CVE References: CVE-2018-10853,CVE-2018-10876,CVE-2018-10877,CVE-2018-10878,CVE-2018-10879,CVE-2018-10880,CVE-2018-10881,CVE-2018-10882,CVE-2018-10883,CVE-2018-3620,CVE-2018-3646,CVE-2018-5391
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    kernel-azure-4.12.14-5.13.1, kernel-source-azure-4.12.14-5.13.1, kernel-syms-azure-4.12.14-5.13.1
Comment 38 Swamp Workflow Management 2018-09-03 19:20:47 UTC 
SUSE-SU-2018:2596-1: An update that solves 15 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1012382,1064232,1065364,1068032,1076110,1082653,1082979,1085042,1085536,1086457,1087081,1089343,1090123,1090435,1091171,1091860,1092001,1094244,1095643,1096254,1096978,1097771,1098253,1098599,1099792,1099811,1099813,1099844,1099845,1099846,1099849,1099858,1099863,1099864,1100132,1100843,1100930,1101296,1101331,1101658,1101789,1101822,1101841,1102188,1102197,1102203,1102205,1102207,1102211,1102214,1102215,1102340,1102394,1102683,1102715,1102797,1102851,1103097,1103119,1103269,1103445,1103580,1103717,1103745,1103884,1104174,1104319,1104365,1104494,1104495,1104897,1105292,970506
CVE References: CVE-2017-18344,CVE-2018-10876,CVE-2018-10877,CVE-2018-10878,CVE-2018-10879,CVE-2018-10880,CVE-2018-10881,CVE-2018-10882,CVE-2018-10883,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390,CVE-2018-5391,CVE-2018-9363
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP3 (src):    kernel-rt-4.4.147-3.20.1, kernel-rt_debug-4.4.147-3.20.1, kernel-source-rt-4.4.147-3.20.1, kernel-syms-rt-4.4.147-3.20.1
Comment 39 Michal Kubeček 2018-09-05 04:56:57 UTC 
*** Bug 1107220 has been marked as a duplicate of this bug. ***
Comment 43 Lance Ortiz 2018-10-10 14:50:31 UTC 
I have not seen any update on this one for a while.  What is the current status?  When do we plan on seeing a fix here?
Comment 44 Lance Ortiz 2018-10-10 14:59:46 UTC 
(In reply to Lance Ortiz from comment #43)
> I have not seen any update on this one for a while.  What is the current
> status?  When do we plan on seeing a fix here?

More specifically for SLES12SP1,  I see other OSs out there, but not this version.  This is needed for an EMC products.
Comment 45 Marcus Meissner 2018-10-10 15:13:33 UTC 
needinfo for Michael I think
Comment 47 Swamp Workflow Management 2018-10-18 18:13:55 UTC 
SUSE-SU-2018:2344-2: An update that solves 11 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1064232,1076110,1083635,1085042,1086652,1087081,1089343,1090123,1091171,1094248,1096130,1096480,1096978,1097140,1097551,1098016,1098425,1098435,1099924,1100089,1100416,1100418,1100491,1101557,1102340,1102851,1103097,1103119,1103580
CVE References: CVE-2017-18344,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390,CVE-2018-5391,CVE-2018-5814,CVE-2018-9385
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.92.1, kernel-source-4.4.121-92.92.1, kernel-syms-4.4.121-92.92.1, kgraft-patch-SLE12-SP2_Update_24-1-3.7.1, lttng-modules-2.7.1-9.4.1
Comment 48 mike zhu 2018-11-07 09:29:09 UTC 
hi, any update about the fix on SLES12SP1?
Comment 54 Derro Xu 2018-11-29 07:14:58 UTC 
Hi,

I am wondering if there is any update about the fix on SLES12SP1? Thanks!

Regards,
Derro
Comment 55 Michal Kubeček 2018-12-20 12:08:06 UTC 
I finally found time to resolve the mystery of failing kernel selftest for the
overlapping fragments (reported by Nicolai). The trick is that the overlapping
fragment generated by the selftest also fails one of the earlier sanity checks
which only result in dropping the current fragment rather than the whole queue.

In mainline this is addressed by commits

  0ff89efb5246  ip: fail fast on IP defrag errors
  2475f59c618e  ipv6: discard IP frag queue on more errors

With these two and minor changes to the ip_defrag.sh script, all four ip_defrag
tests pass on SLE12-SP3. In particular, one needs to raise the thresholds for
IPv6 (I used 19000000 and 17000000) and set the same limits (for both IPv4 and
IPv6) also in init_net because we don't have mainline commit

  836196239298  net/ipfrag: let ip[6]frag_high_thresh in ns be higher than in
                init_net

So that the high threshold cannot be raised in the namespace used by the test
without raising it in init_net first.

I'm going to push the two commits above and fixes from bsc#1110286 (mainline
commit ebaf39e6032f) and bsc#1116345 (net tree commit ade446403bfb) to our
4.4 based branches. This should also unblock the backport to 3.12 based
branches if the tests are successful there as well.
Comment 56 Michal Kubeček 2018-12-20 23:37:47 UTC 
Patches

  0ff89efb5246  ip: fail fast on IP defrag errors
  2475f59c618e  ipv6: discard IP frag queue on more errors
  ebaf39e6032f  ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize
                changes
  ade446403bfb  net: ipv4: do not handle duplicate fragments as overlapping

are now in SLE12-SP3 and submitted to SLE12-SP2-LTSS.
Comment 57 Derro Xu 2018-12-21 09:06:53 UTC 
So, it will be back port to suse12sp1 ,right?
Comment 60 Swamp Workflow Management 2019-01-18 20:34:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1103097) was mentioned in
https://build.opensuse.org/request/show/667052 42.3 / kernel-source
Comment 61 Marcus Meissner 2019-01-24 13:37:58 UTC 
Our current research shows that older kernel before 3.9 are only very lightly impacted, as the fragment space is smaller.

The commit c2a936600f78aea00d3312ea4b66a79a4619f9b4 changes these limits to higher values which makes the Denial of Service attack efficient. It was introduced in 3.9.

/proc/sys/net/ipv4/ipfrag_low_thresh
/proc/sys/net/ipv4/ipfrag_high_thresh

/proc/sys/net/ipv6/ip6frag_low_thresh
/proc/sys/net/ipv6/ip6frag_high_thresh

On still unfixed kernels the values can be reduced from 3 / 4 MB 
down to 196608 or 262144   for low / high watermarks respectively to reduce potential impact.
Comment 66 Swamp Workflow Management 2019-02-01 19:35:13 UTC 
This is an autogenerated message for OBS integration:
This bug (1103097) was mentioned in
https://build.opensuse.org/request/show/670625 42.3 / kernel-source
Comment 68 Derro Xu 2019-02-18 06:13:34 UTC 
(In reply to Marcus Meissner from comment #61)
> Our current research shows that older kernel before 3.9 are only very
> lightly impacted, as the fragment space is smaller.
> 
> The commit c2a936600f78aea00d3312ea4b66a79a4619f9b4 changes these limits to
> higher values which makes the Denial of Service attack efficient. It was
> introduced in 3.9.
> 
> /proc/sys/net/ipv4/ipfrag_low_thresh
> /proc/sys/net/ipv4/ipfrag_high_thresh
> 
> /proc/sys/net/ipv6/ip6frag_low_thresh
> /proc/sys/net/ipv6/ip6frag_high_thresh
> 
> On still unfixed kernels the values can be reduced from 3 / 4 MB 
> down to 196608 or 262144   for low / high watermarks respectively to reduce
> potential impact.


we are being pushed to give updates for sles12sp1. do you have any plan?Thanks a lot.
Comment 70 Swamp Workflow Management 2019-02-21 19:41:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1103097) was mentioned in
https://build.opensuse.org/request/show/678080 42.3 / kernel-source
Comment 71 Swamp Workflow Management 2019-03-01 14:12:20 UTC 
openSUSE-SU-2019:0274-1: An update that solves 5 vulnerabilities and has 33 fixes is now available.

Category: security (important)
Bug References: 1012382,1020413,1031492,1042286,1050549,1078355,1086095,1086652,1099810,1103097,1105428,1106061,1106929,1116345,1117108,1117645,1117744,1120017,1120758,1120902,1123933,1124166,1124732,1124735,1124775,1124777,1124780,1124811,1125000,1125014,1125446,1125794,1125796,1125808,1125809,1125810,1125892,802154
CVE References: CVE-2018-5391,CVE-2019-3459,CVE-2019-3460,CVE-2019-7221,CVE-2019-7222
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.175-89.1, kernel-default-4.4.175-89.1, kernel-docs-4.4.175-89.1, kernel-obs-build-4.4.175-89.1, kernel-obs-qa-4.4.175-89.1, kernel-source-4.4.175-89.1, kernel-syms-4.4.175-89.1, kernel-vanilla-4.4.175-89.1
Comment 72 Swamp Workflow Management 2019-03-04 20:18:12 UTC 
SUSE-SU-2019:0541-1: An update that solves 14 vulnerabilities and has 148 fixes is now available.

Category: security (important)
Bug References: 1012382,1015336,1015337,1015340,1019683,1019695,1020413,1020645,1023175,1027260,1027457,1031492,1042286,1043083,1046264,1047487,1048916,1050549,1065600,1066223,1068032,1070805,1078355,1079935,1086095,1086423,1086652,1091405,1093158,1094244,1094823,1094973,1096242,1096281,1099523,1099810,1100105,1101557,1102439,1102660,1102875,1102877,1102879,1102882,1102896,1103097,1103156,1103257,1103624,1104098,1104731,1105428,1106061,1106105,1106237,1106240,1106929,1107385,1107866,1108145,1108240,1109272,1109330,1109695,1109806,1110286,1111062,1111174,1111809,1112246,1112963,1113412,1113766,1114190,1114417,1114475,1114648,1114763,1114839,1114871,1114893,1115431,1115433,1115440,1115482,1115709,1116027,1116183,1116285,1116336,1116345,1116497,1116653,1116841,1116924,1116950,1116962,1117108,1117162,1117165,1117186,1117562,1117645,1117744,1118152,1118316,1118319,1118505,1118790,1118798,1118915,1118922,1118926,1118930,1118936,1119204,1119680,1119714,1119877,1119946,1119967,1119970,1120017,1120046,1120722,1120743,1120758,1120902,1120950,1121239,1121240,1121241,1121242,1121275,1121621,1121726,1122650,1122651,1122779,1122885,1123321,1123323,1123357,1123933,1124166,1124728,1124732,1124735,1124775,1124777,1124780,1124811,1125000,1125014,1125446,1125794,1125796,1125808,1125809,1125810,1125892,985031
CVE References: CVE-2018-1120,CVE-2018-16862,CVE-2018-16884,CVE-2018-19407,CVE-2018-19824,CVE-2018-19985,CVE-2018-20169,CVE-2018-5391,CVE-2018-9568,CVE-2019-3459,CVE-2019-3460,CVE-2019-6974,CVE-2019-7221,CVE-2019-7222
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    kernel-default-4.4.175-94.79.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    kernel-docs-4.4.175-94.79.1, kernel-obs-build-4.4.175-94.79.1
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-default-4.4.175-94.79.1, kernel-source-4.4.175-94.79.1, kernel-syms-4.4.175-94.79.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.175-94.79.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    kernel-default-4.4.175-94.79.1, kernel-source-4.4.175-94.79.1, kernel-syms-4.4.175-94.79.1
SUSE CaaS Platform ALL (src):    kernel-default-4.4.175-94.79.1
SUSE CaaS Platform 3.0 (src):    kernel-default-4.4.175-94.79.1
Comment 73 Swamp Workflow Management 2019-03-04 20:41:38 UTC 
SUSE-SU-2019:0541-1: An update that solves 14 vulnerabilities and has 148 fixes is now available.

Category: security (important)
Bug References: 1012382,1015336,1015337,1015340,1019683,1019695,1020413,1020645,1023175,1027260,1027457,1031492,1042286,1043083,1046264,1047487,1048916,1050549,1065600,1066223,1068032,1070805,1078355,1079935,1086095,1086423,1086652,1091405,1093158,1094244,1094823,1094973,1096242,1096281,1099523,1099810,1100105,1101557,1102439,1102660,1102875,1102877,1102879,1102882,1102896,1103097,1103156,1103257,1103624,1104098,1104731,1105428,1106061,1106105,1106237,1106240,1106929,1107385,1107866,1108145,1108240,1109272,1109330,1109695,1109806,1110286,1111062,1111174,1111809,1112246,1112963,1113412,1113766,1114190,1114417,1114475,1114648,1114763,1114839,1114871,1114893,1115431,1115433,1115440,1115482,1115709,1116027,1116183,1116285,1116336,1116345,1116497,1116653,1116841,1116924,1116950,1116962,1117108,1117162,1117165,1117186,1117562,1117645,1117744,1118152,1118316,1118319,1118505,1118790,1118798,1118915,1118922,1118926,1118930,1118936,1119204,1119680,1119714,1119877,1119946,1119967,1119970,1120017,1120046,1120722,1120743,1120758,1120902,1120950,1121239,1121240,1121241,1121242,1121275,1121621,1121726,1122650,1122651,1122779,1122885,1123321,1123323,1123357,1123933,1124166,1124728,1124732,1124735,1124775,1124777,1124780,1124811,1125000,1125014,1125446,1125794,1125796,1125808,1125809,1125810,1125892,985031
CVE References: CVE-2018-1120,CVE-2018-16862,CVE-2018-16884,CVE-2018-19407,CVE-2018-19824,CVE-2018-19985,CVE-2018-20169,CVE-2018-5391,CVE-2018-9568,CVE-2019-3459,CVE-2019-3460,CVE-2019-6974,CVE-2019-7221,CVE-2019-7222
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    kernel-default-4.4.175-94.79.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    kernel-docs-4.4.175-94.79.1, kernel-obs-build-4.4.175-94.79.1
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-default-4.4.175-94.79.1, kernel-source-4.4.175-94.79.1, kernel-syms-4.4.175-94.79.1
SUSE Linux Enterprise Live Patching 12-SP3 (src):    kgraft-patch-SLE12-SP3_Update_23-1-4.7.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.175-94.79.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    kernel-default-4.4.175-94.79.1, kernel-source-4.4.175-94.79.1, kernel-syms-4.4.175-94.79.1
SUSE CaaS Platform ALL (src):    kernel-default-4.4.175-94.79.1
SUSE CaaS Platform 3.0 (src):    kernel-default-4.4.175-94.79.1
Comment 75 Blake He 2019-04-25 03:37:47 UTC 
Hello,
I've tried to install the patch(kgraft-patch-SLE12-SP1_Update_32-6-2.1.src.rpm) on sles12sp1. But I can not find the patch name in the rpm list, and the kernel version did not change after the patch installed.
># rpm -qa | grep kgraft-patch
>#
># uname -r
>3.12.74-60.64.107-default

So how do I verify the patch installed or not on sles12sp1? Thank you.
Comment 76 Miroslav Beneš 2019-04-25 08:11:41 UTC 
(In reply to Blake He from comment #75)
> Hello,
> I've tried to install the
> patch(kgraft-patch-SLE12-SP1_Update_32-6-2.1.src.rpm) on sles12sp1.

It looks like a source rpm.

> But I
> can not find the patch name in the rpm list, and the kernel version did not
> change after the patch installed.
> ># rpm -qa | grep kgraft-patch

If you installed the rpm, it should be listed here. Strange.

> ># uname -r
> >3.12.74-60.64.107-default

That's correct. The kernel version does not change with kgraft-patch installed. Could you share "uname -a", please?

> So how do I verify the patch installed or not on sles12sp1? Thank you.

There is "kgr" tool, which can be used.

Btw, bug 1103098 is more appropriate in this case, so please reply there.
Comment 77 Lance Ortiz 2019-04-30 14:36:15 UTC 
(In reply to Miroslav Beneš from comment #76)
> There is "kgr" tool, which can be used.
> 
> Btw, bug 1103098 is more appropriate in this case, so please reply there.

The bug mentioned is an internal SUSE bug with no partners added to it.  Also it has not been updated in white a while.  I can add Blake to that bug, but would it be better to resolve the issue here with the current context.
Comment 81 Swamp Workflow Management 2019-05-17 19:18:31 UTC 
SUSE-SU-2019:1289-1: An update that solves 33 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 1031240,1034862,1066674,1071021,1086535,1091171,1094825,1100001,1102517,1103097,1104475,1105025,1105296,1106913,1107829,1108498,1110768,1111331,1111516,1113751,1113769,1114648,1114920,1115007,1115038,1116345,1116841,1118152,1118319,1119714,1119946,1120743,1120758,1121621,1122015,1123161,1124010,1124728,1124732,1124735,1126890,1128166,1131416,1131427,1132828,1133188
CVE References: CVE-2016-10741,CVE-2017-1000407,CVE-2017-16533,CVE-2017-7273,CVE-2017-7472,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-14633,CVE-2018-15572,CVE-2018-16884,CVE-2018-18281,CVE-2018-18386,CVE-2018-18690,CVE-2018-18710,CVE-2018-19407,CVE-2018-19824,CVE-2018-19985,CVE-2018-20169,CVE-2018-5391,CVE-2018-9516,CVE-2018-9568,CVE-2019-11091,CVE-2019-11486,CVE-2019-3459,CVE-2019-3460,CVE-2019-3882,CVE-2019-6974,CVE-2019-7221,CVE-2019-7222,CVE-2019-8564,CVE-2019-9213,CVE-2019-9503
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    kernel-default-3.12.74-60.64.110.1, kernel-source-3.12.74-60.64.110.1, kernel-syms-3.12.74-60.64.110.1, kernel-xen-3.12.74-60.64.110.1, lttng-modules-2.7.0-4.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    kernel-default-3.12.74-60.64.110.1, kernel-source-3.12.74-60.64.110.1, kernel-syms-3.12.74-60.64.110.1, kernel-xen-3.12.74-60.64.110.1, lttng-modules-2.7.0-4.4.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.110.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 86 Gabriele Sonnu 2022-04-12 12:25:28 UTC 
Done.
First Last Prev Next    This bug is not in your last search results.