Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 486428 (CVE-2013-4387) - Kernel: memory corruption with ipv6 udp offloading (CVE-2013-4387)
Summary: Kernel: memory corruption with ipv6 udp offloading (CVE-2013-4387)
Alias: CVE-2013-4387
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
Depends on:
Reported: 2013-09-29 08:16 UTC by Agostino Sarubbo
Modified: 2022-03-25 15:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-29 08:16:39 UTC
From ${URL} :


I guess the following patch might be worth a CVE:

| [PATCH] ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
| In the following scenario the socket is corked:
| If the first UDP packet is larger then the mtu we try to append it to the
| write queue via ip6_ufo_append_data. A following packet, which is smaller
| than the mtu would be appended to the already queued up gso-skb via
| plain ip6_append_data. This causes random memory corruptions.
| In ip6_ufo_append_data we also have to be careful to not queue up the
| same skb multiple times. So setup the gso frame only when no first skb
| is available.
| This also fixes a shortcoming where we add the current packet's length to
| cork->length but return early because of a packet > mtu with dontfrag set
| (instead of sutracting it again).
| Found with trinity.

While writing a reproducer to test this patch, I have seen silent memory
corruption (which later manifests as e.g. a panic or hangs on shutdown)
and oopses.

It has been reported to netdev by Dmitry Vyukov <>
and was found with the AddressSanitizer for the kernel[1] and trinity.

The patch is queued up for stable:
and is already committed to linux-net:

I guess the erroneous behaviour was introduced here:
| git describe --contains e89e9cf539a28df7d0eb1d0a545368e9920b34ac
| v2.6.15-rc1~731^2~31

The reproducers are available on request.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-10-16 01:32:43 UTC
CVE-2013-4387 (
  net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly
  determine the need for UDP Fragmentation Offload (UFO) processing of small
  packets after the UFO queueing of a large packet, which allows remote
  attackers to cause a denial of service (memory corruption and system crash)
  or possibly have unspecified other impact via network traffic that triggers
  a large response packet.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-25 15:39:02 UTC
Fix in 3.11.7 onwards