apport information ** Tags added: apport-collected jammy
** Description changed: an android app is sending big UDP datagrams, this generates IPv4 fragments this IPv4 fragments can not be controlled in firewall nftables family netdev hook ingress. platform: Ubuntu 22.04LTS, latest patches installed I documented 2 screenshots fragment1.png wireshark: ethernet header type=0x800, ipv4 header ID=0x2466, more frags, frag-offset=0, total=1500 fragment2.png wireshark: ethernet header type=0x800, ipv4 header ID=0x2466, frag-offset=1480, total=413 at the bottom of the screenshots is "/usr/sbin/nft monitor trace" family "netdev" hook "ingress" @nh,0,160 is the raw ipv4 data total=0x765=1893, ID=0x2466, glueing the two ipv4 fragments together = 1500 + 413 - 20 = 1893, oops the nftables TRACE shows an already processed bigger ipv4 packet. there is a race condition! the ipv4 processing has to WAIT for all the rules in family "netdev" hook "ingress" I cannot control ether type 0x800 completely in family "netdev" hook "ingress" this is a security vulnerability! + --- + ProblemType: Bug + ApportVersion: 2.20.11-0ubuntu82.1 + Architecture: amd64 + AudioDevicesInUse: + USER PID ACCESS COMMAND + /dev/snd/controlC0: bernie 1324 F.... pulseaudio + CasperMD5CheckResult: pass + DistroRelease: Ubuntu 22.04 + InstallationDate: Installed on 2022-05-31 (58 days ago) + InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) + MachineType: Hewlett-Packard HP EliteBook 8560p + Package: linux (not installed) + ProcFB: 0 i915drmfb + ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-41-generic root=UUID=6f01374f-146b-402e-b36b-23f040ef48d2 ro ro quiet noplymouth ipv6.disable=1 initcall_blacklist=serial8250_init + ProcVersionSignature: Ubuntu 5.15.0-41.44-generic 5.15.39 + PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. + RelatedPackageVersions: + linux-restricted-modules-5.15.0-41-generic N/A + linux-backports-modules-5.15.0-41-generic N/A + linux-firmware 20220329.git681281e4-0ubuntu3.3 + RfKill: + 0: phy0: Wireless LAN + Soft blocked: yes + Hard blocked: no + Tags: jammy + Uname: Linux 5.15.0-41-generic x86_64 + UpgradeStatus: No upgrade log present (probably fresh install) + UserGroups: N/A + _MarkForUpload: True + dmi.bios.date: 04/06/2017 + dmi.bios.release: 15.101 + dmi.bios.vendor: Hewlett-Packard + dmi.bios.version: 68SCF Ver. F.65 + dmi.board.name: 1618 + dmi.board.vendor: Hewlett-Packard + dmi.board.version: KBC Version 97.4E + dmi.chassis.type: 10 + dmi.chassis.vendor: Hewlett-Packard + dmi.ec.firmware.release: 151.78 + dmi.modalias: dmi:bvnHewlett-Packard:bvr68SCFVer.F.65:bd04/06/2017:br15.101:efr151.78:svnHewlett-Packard:pnHPEliteBook8560p:pvrA0001D02:rvnHewlett-Packard:rn1618:rvrKBCVersion97.4E:cvnHewlett-Packard:ct10:cvr:skuLG731EA#ABD: + dmi.product.family: 103C_5336AN + dmi.product.name: HP EliteBook 8560p + dmi.product.sku: LG731EA#ABD + dmi.product.version: A0001D02 + dmi.sys.vendor: Hewlett-Packard ** Attachment added: "AlsaInfo.txt" https://bugs.launchpad.net/bugs/1980590/+attachment/5605728/+files/AlsaInfo.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1980590 Title: SECURITY leak in dpkg "nftables" kernel code family netdev hook ingress Status in linux package in Ubuntu: Confirmed Bug description: an android app is sending big UDP datagrams, this generates IPv4 fragments this IPv4 fragments can not be controlled in firewall nftables family netdev hook ingress. platform: Ubuntu 22.04LTS, latest patches installed I documented 2 screenshots fragment1.png wireshark: ethernet header type=0x800, ipv4 header ID=0x2466, more frags, frag-offset=0, total=1500 fragment2.png wireshark: ethernet header type=0x800, ipv4 header ID=0x2466, frag-offset=1480, total=413 at the bottom of the screenshots is "/usr/sbin/nft monitor trace" family "netdev" hook "ingress" @nh,0,160 is the raw ipv4 data total=0x765=1893, ID=0x2466, glueing the two ipv4 fragments together = 1500 + 413 - 20 = 1893, oops the nftables TRACE shows an already processed bigger ipv4 packet. there is a race condition! the ipv4 processing has to WAIT for all the rules in family "netdev" hook "ingress" I cannot control ether type 0x800 completely in family "netdev" hook "ingress" this is a security vulnerability! --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: bernie 1324 F.... pulseaudio CasperMD5CheckResult: pass DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2022-05-31 (58 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) MachineType: Hewlett-Packard HP EliteBook 8560p Package: linux (not installed) ProcFB: 0 i915drmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.15.0-41-generic root=UUID=6f01374f-146b-402e-b36b-23f040ef48d2 ro ro quiet noplymouth ipv6.disable=1 initcall_blacklist=serial8250_init ProcVersionSignature: Ubuntu 5.15.0-41.44-generic 5.15.39 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RelatedPackageVersions: linux-restricted-modules-5.15.0-41-generic N/A linux-backports-modules-5.15.0-41-generic N/A linux-firmware 20220329.git681281e4-0ubuntu3.3 RfKill: 0: phy0: Wireless LAN Soft blocked: yes Hard blocked: no Tags: jammy Uname: Linux 5.15.0-41-generic x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: N/A _MarkForUpload: True dmi.bios.date: 04/06/2017 dmi.bios.release: 15.101 dmi.bios.vendor: Hewlett-Packard dmi.bios.version: 68SCF Ver. F.65 dmi.board.name: 1618 dmi.board.vendor: Hewlett-Packard dmi.board.version: KBC Version 97.4E dmi.chassis.type: 10 dmi.chassis.vendor: Hewlett-Packard dmi.ec.firmware.release: 151.78 dmi.modalias: dmi:bvnHewlett-Packard:bvr68SCFVer.F.65:bd04/06/2017:br15.101:efr151.78:svnHewlett-Packard:pnHPEliteBook8560p:pvrA0001D02:rvnHewlett-Packard:rn1618:rvrKBCVersion97.4E:cvnHewlett-Packard:ct10:cvr:skuLG731EA#ABD: dmi.product.family: 103C_5336AN dmi.product.name: HP EliteBook 8560p dmi.product.sku: LG731EA#ABD dmi.product.version: A0001D02 dmi.sys.vendor: Hewlett-Packard To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1980590/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
