From 93ec8b7d38bffe6c33b18644e05100e92c06b8b3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 11 Mar 2014 09:00:52 -0400 Subject: [PATCH] CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064) --- ...ST_NOCOUNT-for-remotely-added-routes.patch | 32 +++++++++++++++++++ kernel.spec | 7 ++++ 2 files changed, 39 insertions(+) create mode 100644 ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch diff --git a/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch b/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch new file mode 100644 index 000000000..9c07c7e24 --- /dev/null +++ b/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch @@ -0,0 +1,32 @@ +Bugzilla: 1074471 +Upstream-status: queued for 3.14 + +From c88507fbad8055297c1d1e21e599f46960cbee39 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Thu, 06 Mar 2014 16:51:57 +0000 +Subject: ipv6: don't set DST_NOCOUNT for remotely added routes + +DST_NOCOUNT should only be used if an authorized user adds routes +locally. In case of routes which are added on behalf of router +advertisments this flag must not get used as it allows an unlimited +number of routes getting added remotely. + +Signed-off-by: Sabrina Dubroca +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 11dac21..fba54a4 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1513,7 +1513,7 @@ int ip6_route_add(struct fib6_config *cfg) + if (!table) + goto out; + +- rt = ip6_dst_alloc(net, NULL, DST_NOCOUNT, table); ++ rt = ip6_dst_alloc(net, NULL, (cfg->fc_flags & RTF_ADDRCONF) ? 0 : DST_NOCOUNT, table); + + if (!rt) { + err = -ENOMEM; +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index bd12e03a1..757eff072 100644 --- a/kernel.spec +++ b/kernel.spec @@ -646,6 +646,9 @@ Patch25035: Bluetooth-allocate-static-minor-for-vhci.patch #Fixes module loading on ppc64le Patch25036: ppc64le_module_fix.patch +#CVE-2014-2309 rhbz 1074471 1075064 +Patch25037: ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch + # END OF PATCH DEFINITIONS %endif @@ -1299,6 +1302,9 @@ ApplyPatch Bluetooth-allocate-static-minor-for-vhci.patch # Fixes module loading on ppc64le ApplyPatch ppc64le_module_fix.patch +#CVE-2014-2309 rhbz 1074471 1075064 +ApplyPatch ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch + # END OF PATCH APPLICATIONS %endif @@ -2079,6 +2085,7 @@ fi # || || %changelog * Tue Mar 11 2014 Josh Boyer - 3.14.0-0.rc6.git1.1 +- CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064) - Linux v3.14-rc6-17-g8712a00 - Reenable debugging options.