diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2013-08-21 09:14:20 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2013-08-21 09:14:20 -0400 |
commit | 7739f0b9ab9a3df007a345af4301c7ccd37805d7 (patch) | |
tree | 2f03dc99950c606474915e6e8a99d986b238d631 | |
parent | f37a09228818bcf1a4465e0570cbca3e8ddc7d21 (diff) | |
download | kernel-7739f0b9ab9a3df007a345af4301c7ccd37805d7.tar.gz kernel-7739f0b9ab9a3df007a345af4301c7ccd37805d7.tar.xz kernel-7739f0b9ab9a3df007a345af4301c7ccd37805d7.zip |
CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380)
-rw-r--r-- | ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch | 63 | ||||
-rw-r--r-- | kernel.spec | 12 |
2 files changed, 74 insertions, 1 deletions
diff --git a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch new file mode 100644 index 00000000..0c4fc248 --- /dev/null +++ b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch @@ -0,0 +1,63 @@ +From 2712c283acc085b5438fa1b22053423a0158468d Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa <hannes@stressinduktion.org> +Date: Fri, 16 Aug 2013 11:02:27 +0000 +Subject: [PATCH] ipv6: remove max_addresses check from ipv6_create_tempaddr + +Because of the max_addresses check attackers were able to disable privacy +extensions on an interface by creating enough autoconfigured addresses: + +<http://seclists.org/oss-sec/2012/q4/292> + +But the check is not actually needed: max_addresses protects the +kernel to install too many ipv6 addresses on an interface and guards +addrconf_prefix_rcv to install further addresses as soon as this limit +is reached. We only generate temporary addresses in direct response of +a new address showing up. As soon as we filled up the maximum number of +addresses of an interface, we stop installing more addresses and thus +also stop generating more temp addresses. + +Even if the attacker tries to generate a lot of temporary addresses +by announcing a prefix and removing it again (lifetime == 0) we won't +install more temp addresses, because the temporary addresses do count +to the maximum number of addresses, thus we would stop installing new +autoconfigured addresses when the limit is reached. + +This patch fixes CVE-2013-0343 (but other layer-2 attacks are still +possible). + +Thanks to Ding Tianhong to bring this topic up again. + +Cc: Ding Tianhong <dingtianhong@huawei.com> +Cc: George Kargiotakis <kargig@void.gr> +Cc: P J P <ppandit@redhat.com> +Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> +Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> +Acked-by: Ding Tianhong <dingtianhong@huawei.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/addrconf.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index fb8c94c..21b7a87 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1124,12 +1124,10 @@ retry: + if (ifp->flags & IFA_F_OPTIMISTIC) + addr_flags |= IFA_F_OPTIMISTIC; + +- ift = !max_addresses || +- ipv6_count_addresses(idev) < max_addresses ? +- ipv6_add_addr(idev, &addr, tmp_plen, ++ ift = ipv6_add_addr(idev, &addr, tmp_plen, + ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, +- addr_flags) : NULL; +- if (IS_ERR_OR_NULL(ift)) { ++ addr_flags); ++ if (IS_ERR(ift)) { + in6_ifa_put(ifp); + in6_dev_put(idev); + pr_info("%s: retry temporary address regeneration\n", __func__); +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 5b6d7dd1..68a7ac64 100644 --- a/kernel.spec +++ b/kernel.spec @@ -770,6 +770,10 @@ Patch25072: HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue. #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch +#CVE-2013-0343 rhbz 914664 999380 +Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch + + # END OF PATCH DEFINITIONS %endif @@ -1488,6 +1492,9 @@ ApplyPatch HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.p #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch +#CVE-2013-0343 rhbz 914664 999380 +ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch + # END OF PATCH APPLICATIONS %endif @@ -2300,7 +2307,10 @@ fi # and build. %changelog -* Tue Aug 20 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.10.9-200 +* Wed Aug 21 2013 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380) + +* Tue Aug 20 2013 Josh Boyer <jwboyer@fedoraproject.org> - Linux v3.10.9 * Tue Aug 20 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.10.8-200 |