Bug 1014701 - (CVE-2016-9919) VUL-0: CVE-2016-9919: kernel-source: kernel panic on fragemented IPv6 traffic (icmp6_send)
(CVE-2016-9919)
VUL-0: CVE-2016-9919: kernel-source: kernel panic on fragemented IPv6 traffic...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-9919:7.1:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-09 00:26 UTC by Mikhail Kasimov
Modified: 2018-07-03 18:13 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-12-09 00:26:22 UTC
Reference: http://seclists.org/oss-sec/2016/q4/640
===================================================
Hi,

The linux kernel contains a bug where a fragmented IPv6 packet causes a
panic after a timeout (seems to be roughly 60 seconds). This can be
triggered remotely via the internet and results in a DoS (kernel panic).

Details: https://bugzilla.kernel.org/show_bug.cgi?id=189851

This is fixed by commit 79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2
Author: David Ahern <dsa () cumulusnetworks com>
Date:   Sun Nov 27 18:52:53 2016 -0800

    net: handle no dst on skb in icmp6_send

Reference:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2

Can a CVE be assigned to this issue?

Florian
===================================================
Comment 1 Marcus Meissner 2016-12-09 07:46:23 UTC
unclear when this was introduced, there were multiple incremental fixes.

ca254490c8dfdaddb5df8a763774db0f4c5200c3  is the base of the l3mdev VRF code, which is in 4.4.
Comment 3 Michal Kubeček 2016-12-09 09:34:53 UTC
We will need to backport the commit this one fixes (5d41ce29e3b9) first. :-)
For some reason, it has been backported to stable-4.8 but not into stable-4.4.

Not much point trying to fix stable now as it's going to switch to 4.9 early
next week anyway.
Comment 5 Michal Kubeček 2016-12-09 10:17:22 UTC
Fixing it should be easy but I'm not really sure it's worth including. The
thing is that due to missing

  1d2f7b2d956e  net: ipv6: tcp reset, icmp need to consider L3 domain
  5d41ce29e3b9  net: icmp6_send should use dst dev to determine L3 domain

the code in SLE12-SP2 still has

        if (__ipv6_addr_needs_scope_id(addr_type))
                iif = skb->dev->ifindex;

which is (functionally) wrong but it's not going to crash (after all, even
current fix uses skb->dev as a fallback).

So I can easily apply all three and have the branch ready within half an hour
but I believe SLE12-SP2 code is not vulnerable in the sense of "send a crafted
packet and kernel will crash". Or at least not in this particular place.
Comment 7 Marcus Meissner 2016-12-09 12:46:02 UTC
if it can not crash the kernel right away its not needed for the fast path I would say.
Comment 8 Michal Kubeček 2016-12-13 12:18:16 UTC
All three commits (CVE fix an the two mentioned in comment 5) are now in

  master (via 4.9.0)
  stable (via 4.9.0)
  SLE12-SP2

Reassigning back to the security team.
Comment 9 Swamp Workflow Management 2017-01-17 18:32:16 UTC
SUSE-SU-2017:0181-1: An update that solves 13 vulnerabilities and has 127 fixes is now available.

Category: security (important)
Bug References: 1000118,1000189,1000287,1000304,1000433,1000776,1001169,1001171,1001310,1001462,1001486,1001888,1002322,1002770,1002786,1003068,1003566,1003581,1003606,1003813,1003866,1003964,1004048,1004052,1004252,1004365,1004517,1005169,1005327,1005545,1005666,1005745,1005895,1005917,1005921,1005923,1005925,1005929,1006103,1006175,1006267,1006528,1006576,1006804,1006809,1006827,1006915,1006918,1007197,1007615,1007653,1007955,1008557,1008979,1009062,1009969,1010040,1010158,1010444,1010478,1010507,1010665,1010690,1010970,1011176,1011250,1011913,1012060,1012094,1012452,1012767,1012829,1012992,1013001,1013479,1013531,1013700,1014120,1014392,1014701,1014710,1015212,1015359,1015367,1015416,799133,914939,922634,963609,963655,963904,964462,966170,966172,966186,966191,966316,966318,966325,966471,969474,969475,969476,969477,969756,971975,971989,972993,974313,974842,974843,978907,979378,979681,981825,983087,983152,983318,985850,986255,986987,987641,987703,987805,988524,988715,990384,992555,993739,993841,993891,994881,995278,997059,997639,997807,998054,998689,999907,999932
CVE References: CVE-2015-1350,CVE-2015-8964,CVE-2016-7039,CVE-2016-7042,CVE-2016-7425,CVE-2016-7913,CVE-2016-7917,CVE-2016-8645,CVE-2016-8666,CVE-2016-9083,CVE-2016-9084,CVE-2016-9793,CVE-2016-9919
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.38-93.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.38-93.3, kernel-obs-build-4.4.38-93.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_4-1-2.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.38-93.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
Comment 10 Swamp Workflow Management 2017-02-13 20:17:00 UTC
openSUSE-SU-2017:0456-1: An update that solves 11 vulnerabilities and has 98 fixes is now available.

Category: security (important)
Bug References: 1000092,1000619,1003077,1003253,1005918,1006469,1006472,1007729,1008742,1009546,1009674,1009718,1009911,1009969,1010612,1010690,1011176,1011250,1011602,1011660,1011913,1012422,1012829,1012910,1013000,1013001,1013273,1013531,1013540,1013542,1013792,1013994,1014120,1014392,1014410,1014701,1014710,1015038,1015212,1015359,1015367,1015416,1015840,1016250,1016403,1016517,1016884,1016979,1017164,1017170,1017410,1017589,1018100,1018316,1018358,1018385,1018446,1018813,1018913,1019061,1019148,1019260,1019351,1019594,1019630,1019631,1019784,1019851,1020214,1020488,1020602,1020685,1020817,1020945,1020975,1021248,1021251,1021258,1021260,1021294,1021455,1021474,1022304,1022429,1022476,1022547,1022559,1022971,1023101,1023175,921494,959709,960561,964944,966170,966172,966186,966191,969474,969475,969756,971975,974215,979378,981709,985561,987192,987576,991273
CVE References: CVE-2015-8709,CVE-2016-7117,CVE-2016-8645,CVE-2016-9793,CVE-2016-9806,CVE-2016-9919,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.46-11.1, kernel-default-4.4.46-11.1, kernel-docs-4.4.46-11.3, kernel-obs-build-4.4.46-11.1, kernel-obs-qa-4.4.46-11.1, kernel-source-4.4.46-11.1, kernel-syms-4.4.46-11.1, kernel-vanilla-4.4.46-11.1
Comment 11 Marcus Meissner 2017-03-02 14:17:36 UTC
released