CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380)

ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch

@@ -0,0 +1,60 @@
+From 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri, 16 Aug 2013 11:02:27 +0000
+Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr
+
+Because of the max_addresses check attackers were able to disable privacy
+extensions on an interface by creating enough autoconfigured addresses:
+
+<http://seclists.org/oss-sec/2012/q4/292>
+
+But the check is not actually needed: max_addresses protects the
+kernel to install too many ipv6 addresses on an interface and guards
+addrconf_prefix_rcv to install further addresses as soon as this limit
+is reached. We only generate temporary addresses in direct response of
+a new address showing up. As soon as we filled up the maximum number of
+addresses of an interface, we stop installing more addresses and thus
+also stop generating more temp addresses.
+
+Even if the attacker tries to generate a lot of temporary addresses
+by announcing a prefix and removing it again (lifetime == 0) we won't
+install more temp addresses, because the temporary addresses do count
+to the maximum number of addresses, thus we would stop installing new
+autoconfigured addresses when the limit is reached.
+
+This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
+possible).
+
+Thanks to Ding Tianhong to bring this topic up again.
+
+Cc: Ding Tianhong <dingtianhong@huawei.com>
+Cc: George Kargiotakis <kargig@void.gr>
+Cc: P J P <ppandit@redhat.com>
+Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Ding Tianhong <dingtianhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index da4241c..498ea99 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1126,12 +1126,10 @@ retry:
+ 	if (ifp->flags & IFA_F_OPTIMISTIC)
+ 		addr_flags |= IFA_F_OPTIMISTIC;
+ 
+-	ift = !max_addresses ||
+-	      ipv6_count_addresses(idev) < max_addresses ?
+-		ipv6_add_addr(idev, &addr, NULL, tmp_plen,
+-			      ipv6_addr_scope(&addr), addr_flags,
+-			      tmp_valid_lft, tmp_prefered_lft) : NULL;
+-	if (IS_ERR_OR_NULL(ift)) {
++	ift = ipv6_add_addr(idev, &addr, NULL, tmp_plen,
++			    ipv6_addr_scope(&addr), addr_flags,
++			    tmp_valid_lft, tmp_prefered_lft);
++	if (IS_ERR(ift)) {
+ 		in6_ifa_put(ifp);
+ 		in6_dev_put(idev);
+ 		pr_info("%s: retry temporary address regeneration\n", __func__);
+--
+cgit v0.9.2

kernel.spec

@@ -745,6 +745,10 @@ Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
 #rhbz 963715
 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
 
+#CVE-2013-0343 rhbz 914664 999380
+Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
+
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1444,6 +1448,9 @@ ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
 #rhbz 963715
 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
 
+#CVE-2013-0343 rhbz 914664 999380
+ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2237,6 +2244,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Wed Aug 21 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380)
+
 * Tue Aug 20 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git1.1
 - Linux v3.11-rc6-28-gfd3930f
 - Reenable debugging options.