129 lines
4.6 KiB
Text
129 lines
4.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-EN-16:05.hv_netvsc Errata Notice
|
|
The FreeBSD Project
|
|
|
|
Topic: hv_netvsc(4) incorrect TCP/IP checksums
|
|
|
|
Category: core
|
|
Module: hyperv
|
|
Announced: 2016-03-16
|
|
Credits: Larry Baird
|
|
Affects: FreeBSD 10.2
|
|
Corrected: 2015-12-18 14:56:49 UTC (stable/10, 10.2-STABLE)
|
|
2016-03-16 22:31:04 UTC (releng/10.2, 10.2-RELEASE-p14)
|
|
|
|
For general information regarding FreeBSD Errata Notices and Security
|
|
Advisories, including descriptions of the fields above, security
|
|
branches, and the following sections, please visit
|
|
<URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
Hyper-V is a native hypervisor running on Windows operating system. It can
|
|
run FreeBSD 10.x as guest in virtual machine.
|
|
|
|
When FreeBSD guest runs on Hyper-V, to get the best network performance,
|
|
it usually uses the Hyper-V synthetic network device. The driver of the
|
|
network device is called hv_netvsc(4). Since FreeBSD 10.2-RELEASE the
|
|
driver supports TCP segmentation and TCP/IP checksum offloading.
|
|
|
|
II. Problem Description
|
|
|
|
Together with the TCP segmentation and TCP/IP checksum offloading a regression
|
|
was introduced. The driver checked the inbound checksum flags when deciding
|
|
whether to process checksums or not, while it should have checked the outbound
|
|
flags only.
|
|
|
|
III. Impact
|
|
|
|
If the guest running on Hyper-V is configured as a gateway, the host will
|
|
silently drop certain packets from the guest.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available.
|
|
|
|
V. Solution
|
|
|
|
Perform one of the following:
|
|
|
|
1) Upgrade your system to a supported FreeBSD stable or release / security
|
|
branch (releng) dated after the correction date. Reboot is required.
|
|
|
|
2) To update your system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
|
|
Reboot is required.
|
|
|
|
3) To update your system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch
|
|
# fetch https://security.FreeBSD.org/patches/EN-16:05/hv_netvsc.patch.asc
|
|
# gpg --verify hv_netvsc.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/10/ r292439
|
|
releng/10.2/ r296955
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203630>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:05.hv_netvsc.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQIcBAEBCgAGBQJW6eQyAAoJEO1n7NZdz2rnOdQQANX3NYcoY1uMJEJcOMgfKp52
|
|
OUKUriPdJjEr94Yq/QSGaIp5WyZ5O/hu89LI45DlJMHGxQYJrpQuM1Cyf2QS770u
|
|
yrmfTkcJpqmwJpr4pOqQuYUHuAXkUsOeOysOO/2ccP7USFWqdWbgLotbq3JAFwIz
|
|
cnPwteAawZ3BZLaDRXgsr9Hhqn5d++YIsYC3mhyGNJJI6LlNG/ihba2Vd8lDu9hv
|
|
UVv0WW8yfv851jEv/vhCQmhHcHcIAhzZGLn47Shi4s0833icvPeU+Xc/cpL/wifX
|
|
vCPKA53DqdsNCsPQbbfzgCgoxV1iC3zb/4EOUAIpCInS00N4YQeQiJePH7Im56rc
|
|
y6LsccIf1otr8xCuRuWsUVXuzrmtDBKDzE2gwMx+YHAEWl7ObhgM1VYYWoYnwBlr
|
|
g+M2Wynjcj/rSZUpBdtUFFDNhqFlvrFSXDUEl0MbK4IzwtyOQtQfnCjy6kTqr2yB
|
|
czWonmU9tgLtaqkN61b5pBx+jR2oEC4M8HPHuA2LmEKLJrgfePHBIAZ7cPnWaZ4O
|
|
L4uP97MPmZEQggQeED5SLTMl3jJUe52H9XDkN8RV8/P3oA/YXBD4prhg4fYvNKQT
|
|
VR0pWvlnJNmjaupCBWOfJfG1S8+oOfoTNV5/Fq83LVLW0DPKHVmLtQfS5Rs02745
|
|
VnvCDT/XPOCODW1KdsSc
|
|
=vkxR
|
|
-----END PGP SIGNATURE-----
|