Control: tag -1 moreinfo On Tue, 14 Apr 2015 10:44:22 +0200 Romain Francoise <rfrancoise@debian.org> wrote: > Package: src:linux > Version: 3.16.7-ckt7-1 > Severity: wishlist > > Using the rfc4106 IPsec implementation provided by the aesni_intel > module results in occasional crashes on an busy gateway. This was fixed > upstream by commit ccfe8c3f7e52: > > | commit ccfe8c3f7e52ae83155cb038753f4c75b774ca8a > | Author: Stephan Mueller <smueller@chronox.de> > | Date: Thu Mar 12 09:17:51 2015 +0100 > | > | crypto: aesni - fix memory usage in GCM decryption [...] > This fix is already queued for 3.16.7-ckt10, but it'd be great if you > could include it in jessie ASAP. As this fixes buffer overflow bugs, I would normally expect those bugs to result in crashes and also to be potentially exploitable for code injection. However, the upstream developers tell me that in this particular case the buffers will always have some extra padding that makes the overflows harmless in practice. Have you actually tested that this commit fixes the crashes you've seen? Ben. -- Ben Hutchings Anthony's Law of Force: Don't force it, get a larger hammer.
Attachment:
signature.asc
Description: This is a digitally signed message part