[Pkg-samba-maint] Bug#813406: Bug#813406: ctdb, raw sockets and CVE-2015-8543

Mathieu Parent math.parent at gmail.com
Wed Feb 3 21:05:58 UTC 2016


2016-02-01 17:29 GMT+01:00 Adi Kriegisch <adi at kriegisch.at>:
> Package: ctdb
> Severity: grave
> Tags: patch,upstream
>
> Hi!
>
> The kernel upgrade for CVE-2015-8543 showed a bug in CTDB that leads to a
> broken cluster:
>   | s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
> htons(IPPROTO_RAW) leads to 0xff00 which causes "-1 EINVAL (Invalid
> argument)" because of CVE-2015-8543.
> The fix for the issue is quite simple: remove IPPROTO_RAW; to make the fix
> more consistent with what was used before, use IPPROTO_IP (which is 0).
>
> Error messages related to this bug are:
>   | We are still serving a public IP 'x.x.x.x' that we should not be serving. Removing it
>   | common/system_common.c:89 failed to open raw socket (Invalid argument)
>   | Could not find which interface the ip address is hosted on. can not release it
> and
>   | common/system_linux.c:344 failed to open raw socket (Invalid argument)
> As a result, IP addresses cannot be released and multiple nodes in the
> cluster serve the same address, which obviously does not work.

Thank you so much for finding this bug! I was wondering why my
clusters were crazy, blaming the network itself.

> Upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=11705 and mailing
> list conversation: https://lists.samba.org/archive/samba/2016-January/197389.html

There are two set of patches:
- yours that basically keep the same behavior as pre-CVE-2015-8543 (proto=0)
- Amitay's that restore the intented behavior (proto=255)

Also you patch only fixes 2 functions.

Amitay's patch also fixes references to ETHERTYPE_ARP (0x0806) and
ETH_P_ALL (0x0003)

I think I'll got for Amitay's patch which probably fixes a lot of
weird behaviors I've seen pre-CVE-2015-8543 (i.e TCP connections not
reset, Ip not properly relocated).

I plan to fix this for wheezy and jessie. stretch will come with next
upstream release.

Givent the importance of the bug, I think it can go thru -security.

Regards
-- 
Mathieu



More information about the Pkg-samba-maint mailing list