This all happened December 8th. I'm surprised this didn't make more noise, but it's unclear to me what versions are affected. It was reported on 4.8.12 and not marked as a regression, and was fixed during 4.9 development.
It'd be a relatively narrow window - it didn't affect RHEL 5/6/7 or the Ubuntu releases, so it'd need to be someone running a recent enough kernel to catch it but unmaintained enough to not push out the fixes.
Presuming this landed in 4.8 (guessing based on the kernels Debian listed fixes for versus not affected [1]), which came out in October 2016, that's 2 months of time when someone could have picked a stable release and gotten bitten by this.
update: it's actually even narrower, since it looks like those lines were added in a patch from November 3rd [2], so maybe a month.
It's normal not to make noise about security bugs. The CVE was issued almost two weeks after the fix landed in mainline. Surely the stable kernels were patched at the same time and the distros had pushed updates already.
You can't run valgrind on the kernel (not because of the speed, but because the way valgrind works it's not technically feasible), but even if you could, the bad access only occurred when the particular type of packet was received. The kernel panic essentially was the kernel's run-time bad access detection triggering.
It was catched with syzcaller and kasan. syzcaller is a kernel fuzzing tool, kasan is "like valgrind, but for the kernel" (the kernel version of address sanitizer. in general I like to describe address sanitizer as "like valgrind, just better".)
I'm a bit confused. One if changes between IPv4 and IPv6 was removing fragmentation feature. How does it work then. For some reason the CVE does not load for me.
What was removed was fragmentation done by the network. Now it's hard coded to use PMTU discovery, whereas in v4 fragmentation was transparent to apps if you didn't set the "don't fragment" bit.
It's going to be interesting to watch for all of the same exploits come through for IPv6 that came through for v4. This sounds like Teardrop from the Win9x era, I'm waiting to see WinNuke and whatever other variants are still to be discovered.
26 comments
[ 3.1 ms ] story [ 59.5 ms ] threadThis all happened December 8th. I'm surprised this didn't make more noise, but it's unclear to me what versions are affected. It was reported on 4.8.12 and not marked as a regression, and was fixed during 4.9 development.
Presuming this landed in 4.8 (guessing based on the kernels Debian listed fixes for versus not affected [1]), which came out in October 2016, that's 2 months of time when someone could have picked a stable release and gotten bitten by this.
update: it's actually even narrower, since it looks like those lines were added in a patch from November 3rd [2], so maybe a month.
[1] - https://security-tracker.debian.org/tracker/CVE-2016-9919
[2] - https://www.spinics.net/lists/netdev/msg402791.html
https://security-tracker.debian.org/tracker/CVE-2016-9919
Are there not static analysis tools routinely used against Linux that should have caught this?
Or runtime memory access detection, like valgrind.
I know both might be slow on a project the size the Linux kernel, but it seems worth it.
But today, it's impossible:
http://marc.info/?l=user-mode-linux-user&m=140187124116532&w...
> > So, is it possible to run linux (>3.12) with valgrind? If yes, how to do it?
> No.
> A long time ago it was possible after applying a patch to both UML and valgrind.
https://scan.coverity.com/projects/linux