
Linux panic on fragemented IPv6 traffic (icmp6_send) - BuuQu9hu
http://seclists.org/oss-sec/2016/q4/640
======
codehusker
It was assigned CVE-2016-9919. [https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2016-9919](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2016-9919)

This all happened December 8th. I'm surprised this didn't make more noise, but
it's unclear to me what versions are affected. It was reported on 4.8.12 and
not marked as a regression, and was fixed during 4.9 development.

~~~
ajross
It's normal _not_ to make noise about security bugs. The CVE was issued almost
two weeks after the fix landed in mainline. Surely the stable kernels were
patched at the same time and the distros had pushed updates already.

~~~
alpb
Corollary: people writing exploits actively follow email lists such as this
one for security issues.

~~~
mfukar
Naturally they do.

------
xja
As far as I can tell it appears to be a classic use of an uninitialized
pointer.

Are there not static analysis tools routinely used against Linux that should
have caught this?

Or runtime memory access detection, like valgrind.

I know both might be slow on a project the size the Linux kernel, but it seems
worth it.

~~~
caf
You can't run valgrind on the kernel (not because of the speed, but because
the way valgrind works it's not technically feasible), but even if you could,
the bad access only occurred when the particular type of packet was received.
The kernel panic essentially _was_ the kernel's run-time bad access detection
triggering.

~~~
m00dy
you can run the kernel in userspace so that valgrind can attach to it.

~~~
lisivka
It was done for UML kernel 2.6 with patches:
[http://web.archive.org/web/20100126181646/http://uml.jfdi.or...](http://web.archive.org/web/20100126181646/http://uml.jfdi.org/uml/Wiki.jsp?page=ValgrindingUML)
.

But today, it's impossible:

[http://marc.info/?l=user-mode-linux-
user&m=140187124116532&w...](http://marc.info/?l=user-mode-linux-
user&m=140187124116532&w=2)

> > So, is it possible to run linux (>3.12) with valgrind? If yes, how to do
> it?

> No.

> A long time ago it was possible after applying a patch to both UML and
> valgrind.

------
click170
Already fixed in Debian, probably fixed in most other distros as well
considering it was posted Dec 8th.

[https://security-tracker.debian.org/tracker/CVE-2016-9919](https://security-
tracker.debian.org/tracker/CVE-2016-9919)

------
web007
It's going to be interesting to watch for all of the same exploits come
through for IPv6 that came through for v4. This sounds like Teardrop from the
Win9x era, I'm waiting to see WinNuke and whatever other variants are still to
be discovered.

------
trelliscoded
Oh, so that's why I've been seeing that weird IPv6 traffic on my collectors.

~~~
i336_
Record a bit if you see any more, maybe.

------
snvzz
With its millions of lines of code, Linux is guaranteed to hide a bug or two.

------
takeda
I'm a bit confused. One if changes between IPv4 and IPv6 was removing
fragmentation feature. How does it work then. For some reason the CVE does not
load for me.

~~~
fulafel
What was removed was fragmentation done by the network. Now it's hard coded to
use PMTU discovery, whereas in v4 fragmentation was transparent to apps if you
didn't set the "don't fragment" bit.

