CVE-XXXX-XXX DoS due to routing packets to too many different dsts/too fast (rhbz 1183744 1188347)

5 files changed, 113 insertions, 5 deletions

diff --git a/Add-option-to-automatically-enforce-module-signature.patch b/Add-option-to-automatically-enforce-module-signature.patch
index a4ceb74e..98073f00 100644
--- a/Add-option-to-automatically-enforce-module-signature.patch
+++ b/Add-option-to-automatically-enforce-module-signature.patch
@@ -33,10 +33,10 @@ index 199f453cb4de..ec38acf00b40 100644
  290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures
  2D0/A00	ALL	e820_map	E820 memory map table
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 41a503c15862..7b8969db8398 100644
+index 3635fff7b32d..39fc1cd142a1 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1611,6 +1611,16 @@ config EFI_MIXED
+@@ -1615,6 +1615,16 @@ config EFI_MIXED
  
  	   If unsure, say N.
  
diff --git a/Kbuild-Add-an-option-to-enable-GCC-VTA.patch b/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
index 57ee626c..09cbdb0a 100644
--- a/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
+++ b/Kbuild-Add-an-option-to-enable-GCC-VTA.patch
@@ -43,7 +43,7 @@ Signed-off-by: Josh Stone <jistone@redhat.com>
  2 files changed, 21 insertions(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 4e9328491c1e..2c2886edc16d 100644
+index 6276fcaabf21..fda7c73b428f 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -704,7 +704,11 @@ KBUILD_CFLAGS	+= -fomit-frame-pointer
diff --git a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
index 4d61ce91..e6c79287 100644
--- a/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
+++ b/efi-Make-EFI_SECURE_BOOT_SIG_ENFORCE-depend-on-EFI.patch
@@ -11,10 +11,10 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 7b8969db8398..d1f4a3d88dfc 100644
+index 39fc1cd142a1..9d27a01f450d 100644
 --- a/arch/x86/Kconfig
 +++ b/arch/x86/Kconfig
-@@ -1612,7 +1612,8 @@ config EFI_MIXED
+@@ -1616,7 +1616,8 @@ config EFI_MIXED
  	   If unsure, say N.
  
  config EFI_SECURE_BOOT_SIG_ENFORCE
diff --git a/ipv4-try-to-cache-dst_entries-which-would-cause-a-re.patch b/ipv4-try-to-cache-dst_entries-which-would-cause-a-re.patch
new file mode 100644
index 00000000..fbafb534
--- /dev/null
+++ b/ipv4-try-to-cache-dst_entries-which-would-cause-a-re.patch
@@ -0,0 +1,99 @@
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri, 23 Jan 2015 12:01:26 +0100
+Subject: [PATCH] ipv4: try to cache dst_entries which would cause a redirect
+
+Not caching dst_entries which cause redirects could be exploited by hosts
+on the same subnet, causing a severe DoS attack. This effect aggravated
+since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()").
+
+Lookups causing redirects will be allocated with DST_NOCACHE set which
+will force dst_release to free them via RCU.  Unfortunately waiting for
+RCU grace period just takes too long, we can end up with >1M dst_entries
+waiting to be released and the system will run OOM. rcuos threads cannot
+catch up under high softirq load.
+
+Attaching the flag to emit a redirect later on to the specific skb allows
+us to cache those dst_entries thus reducing the pressure on allocation
+and deallocation.
+
+This issue was discovered by Marcelo Leitner.
+
+Cc: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/ip.h      | 11 ++++++-----
+ net/ipv4/ip_forward.c |  3 ++-
+ net/ipv4/route.c      |  9 +++++----
+ 3 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 0bb620702929..f7cbd703d15d 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -39,11 +39,12 @@ struct inet_skb_parm {
+ 	struct ip_options	opt;		/* Compiled IP options		*/
+ 	unsigned char		flags;
+ 
+-#define IPSKB_FORWARDED		1
+-#define IPSKB_XFRM_TUNNEL_SIZE	2
+-#define IPSKB_XFRM_TRANSFORMED	4
+-#define IPSKB_FRAG_COMPLETE	8
+-#define IPSKB_REROUTED		16
++#define IPSKB_FORWARDED		BIT(0)
++#define IPSKB_XFRM_TUNNEL_SIZE	BIT(1)
++#define IPSKB_XFRM_TRANSFORMED	BIT(2)
++#define IPSKB_FRAG_COMPLETE	BIT(3)
++#define IPSKB_REROUTED		BIT(4)
++#define IPSKB_DOREDIRECT	BIT(5)
+ 
+ 	u16			frag_max_size;
+ };
+diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
+index 3a83ce5efa80..787b3c294ce6 100644
+--- a/net/ipv4/ip_forward.c
++++ b/net/ipv4/ip_forward.c
+@@ -129,7 +129,8 @@ int ip_forward(struct sk_buff *skb)
+ 	 *	We now generate an ICMP HOST REDIRECT giving the route
+ 	 *	we calculated.
+ 	 */
+-	if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb_sec_path(skb))
++	if (IPCB(skb)->flags & IPSKB_DOREDIRECT && !opt->srr &&
++	    !skb_sec_path(skb))
+ 		ip_rt_send_redirect(skb);
+ 
+ 	skb->priority = rt_tos2priority(iph->tos);
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 6a2155b02602..d58dd0ec3e53 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1554,11 +1554,10 @@ static int __mkroute_input(struct sk_buff *skb,
+ 
+ 	do_cache = res->fi && !itag;
+ 	if (out_dev == in_dev && err && IN_DEV_TX_REDIRECTS(out_dev) &&
++	    skb->protocol == htons(ETH_P_IP) &&
+ 	    (IN_DEV_SHARED_MEDIA(out_dev) ||
+-	     inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res)))) {
+-		flags |= RTCF_DOREDIRECT;
+-		do_cache = false;
+-	}
++	     inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res))))
++		IPCB(skb)->flags |= IPSKB_DOREDIRECT;
+ 
+ 	if (skb->protocol != htons(ETH_P_IP)) {
+ 		/* Not IP (i.e. ARP). Do not create route, if it is
+@@ -2303,6 +2302,8 @@ static int rt_fill_info(struct net *net,  __be32 dst, __be32 src,
+ 	r->rtm_flags	= (rt->rt_flags & ~0xFFFF) | RTM_F_CLONED;
+ 	if (rt->rt_flags & RTCF_NOTIFY)
+ 		r->rtm_flags |= RTM_F_NOTIFY;
++	if (IPCB(skb)->flags & IPSKB_DOREDIRECT)
++		r->rtm_flags |= RTCF_DOREDIRECT;
+ 
+ 	if (nla_put_be32(skb, RTA_DST, dst))
+ 		goto nla_put_failure;
+-- 
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index 6860f673..0cc5a2e7 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -633,6 +633,9 @@ Patch30000: kernel-arm64.patch
 # Fix for big-endian arches, already upstream
 Patch30001: mpssd-x86-only.patch
 
+# rhbz 1183744 1188347
+Patch30002: ipv4-try-to-cache-dst_entries-which-would-cause-a-re.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1371,6 +1374,9 @@ ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-Sa.patch
 # Fix for big-endian arches, already upstream
 ApplyPatch mpssd-x86-only.patch
 
+# rhbz 1183744 1188347
+ApplyPatch ipv4-try-to-cache-dst_entries-which-would-cause-a-re.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2241,6 +2247,9 @@ fi
 #                                    ||----w |
 #                                    ||     ||
 %changelog
+* Mon Feb 02 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-XXXX-XXX DoS due to routing packets to too many different dsts/too fast (rhbz 1183744 1188347)
+
 * Fri Jan 30 2015 Justin M. Forbes <jforbes@fedoraproject.org> - 3.18.5-100
 - Linux v3.18.5