CVE-2016-3135 ipv4: DoS when destroying a network interface (rhbz 1318172 1318270)
This commit is contained in:
Josh Boyer
parent
cb176ec4e7
commit
6f9c14ed9c
97
ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
Normal file
97
ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
Normal file
@ -0,0 +1,97 @@
|
||||
From fbd40ea0180a2d328c5adc61414dc8bab9335ce2 Mon Sep 17 00:00:00 2001
|
||||
From: "David S. Miller" <davem@davemloft.net>
|
||||
Date: Sun, 13 Mar 2016 23:28:00 -0400
|
||||
Subject: ipv4: Don't do expensive useless work during inetdev destroy.
|
||||
|
||||
When an inetdev is destroyed, every address assigned to the interface
|
||||
is removed. And in this scenerio we do two pointless things which can
|
||||
be very expensive if the number of assigned interfaces is large:
|
||||
|
||||
1) Address promotion. We are deleting all addresses, so there is no
|
||||
point in doing this.
|
||||
|
||||
2) A full nf conntrack table purge for every address. We only need to
|
||||
do this once, as is already caught by the existing
|
||||
masq_dev_notifier so masq_inet_event() can skip this.
|
||||
|
||||
Reported-by: Solar Designer <solar@openwall.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Tested-by: Cyrill Gorcunov <gorcunov@openvz.org>
|
||||
---
|
||||
net/ipv4/devinet.c | 4 ++++
|
||||
net/ipv4/fib_frontend.c | 4 ++++
|
||||
net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 12 ++++++++++--
|
||||
3 files changed, 18 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
|
||||
index 65e76a4..e333bc8 100644
|
||||
--- a/net/ipv4/devinet.c
|
||||
+++ b/net/ipv4/devinet.c
|
||||
@@ -334,6 +334,9 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
|
||||
|
||||
ASSERT_RTNL();
|
||||
|
||||
+ if (in_dev->dead)
|
||||
+ goto no_promotions;
|
||||
+
|
||||
/* 1. Deleting primary ifaddr forces deletion all secondaries
|
||||
* unless alias promotion is set
|
||||
**/
|
||||
@@ -380,6 +383,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
|
||||
fib_del_ifaddr(ifa, ifa1);
|
||||
}
|
||||
|
||||
+no_promotions:
|
||||
/* 2. Unlink it */
|
||||
|
||||
*ifap = ifa1->ifa_next;
|
||||
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
|
||||
index 4734475..21add55 100644
|
||||
--- a/net/ipv4/fib_frontend.c
|
||||
+++ b/net/ipv4/fib_frontend.c
|
||||
@@ -922,6 +922,9 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
|
||||
subnet = 1;
|
||||
}
|
||||
|
||||
+ if (in_dev->dead)
|
||||
+ goto no_promotions;
|
||||
+
|
||||
/* Deletion is more complicated than add.
|
||||
* We should take care of not to delete too much :-)
|
||||
*
|
||||
@@ -997,6 +1000,7 @@ void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
|
||||
}
|
||||
}
|
||||
|
||||
+no_promotions:
|
||||
if (!(ok & BRD_OK))
|
||||
fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim);
|
||||
if (subnet && ifa->ifa_prefixlen < 31) {
|
||||
diff --git a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
|
||||
index c6eb421..ea91058 100644
|
||||
--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
|
||||
+++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
|
||||
@@ -108,10 +108,18 @@ static int masq_inet_event(struct notifier_block *this,
|
||||
unsigned long event,
|
||||
void *ptr)
|
||||
{
|
||||
- struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev;
|
||||
+ struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev;
|
||||
struct netdev_notifier_info info;
|
||||
|
||||
- netdev_notifier_info_init(&info, dev);
|
||||
+ /* The masq_dev_notifier will catch the case of the device going
|
||||
+ * down. So if the inetdev is dead and being destroyed we have
|
||||
+ * no work to do. Otherwise this is an individual address removal
|
||||
+ * and we have to perform the flush.
|
||||
+ */
|
||||
+ if (idev->dead)
|
||||
+ return NOTIFY_DONE;
|
||||
+
|
||||
+ netdev_notifier_info_init(&info, idev->dev);
|
||||
return masq_device_event(this, event, &info);
|
||||
}
|
||||
|
||||
--
|
||||
cgit v0.12
|
||||
|
||||
@ -619,6 +619,9 @@ Patch664: netfilter-x_tables-check-for-size-overflow.patch
|
||||
#CVE-2016-3134 rhbz 1317383 1317384
|
||||
Patch665: netfilter-x_tables-deal-with-bogus-nextoffset-values.patch
|
||||
|
||||
#CVE-2016-3135 rhbz 1318172 1318270
|
||||
Patch666: ipv4-Dont-do-expensive-useless-work-during-inetdev-des.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
@ -2140,6 +2143,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Wed Mar 16 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-3135 ipv4: DoS when destroying a network interface (rhbz 1318172 1318270)
|
||||
|
||||
* Wed Mar 16 2016 Josh Boyer <jwboyer@fedoraproject.org> - 4.6.0-0.rc0.git2.1
|
||||
- Linux v4.5-760-g710d60cbf1b3
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user