CVE-2011-2699: ipv6: make fragment identifications less predictable
This commit is contained in:
parent
8ba25ec095
commit
c9e8c10a43
|
@ -0,0 +1,172 @@
|
|||
From d8d972876c51f7344367414bef3682bcf97e4e87 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
Date: Mon, 8 Aug 2011 23:44:00 -0700
|
||||
Subject: ipv6: make fragment identifications less predictable
|
||||
|
||||
|
||||
From: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
|
||||
[ Backport of upstream commit 87c48fa3b4630905f98268dde838ee43626a060c for 2.6.35 ]
|
||||
|
||||
Fernando Gont reported current IPv6 fragment identification generation
|
||||
was not secure, because using a very predictable system-wide generator,
|
||||
allowing various attacks.
|
||||
|
||||
IPv4 uses inetpeer cache to address this problem and to get good
|
||||
performance. We'll use this mechanism when IPv6 inetpeer is stable
|
||||
enough in linux-3.1
|
||||
|
||||
For the time being, we use jhash on destination address to provide less
|
||||
predictable identifications. Also remove a spinlock and use cmpxchg() to
|
||||
get better SMP performance.
|
||||
|
||||
Reported-by: Fernando Gont <fernando@gont.com.ar>
|
||||
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
---
|
||||
include/net/ipv6.h | 12 +-----------
|
||||
include/net/transp_v6.h | 2 ++
|
||||
net/ipv6/af_inet6.c | 2 ++
|
||||
net/ipv6/ip6_output.c | 40 +++++++++++++++++++++++++++++++++++-----
|
||||
net/ipv6/udp.c | 2 +-
|
||||
5 files changed, 41 insertions(+), 17 deletions(-)
|
||||
|
||||
--- a/include/net/ipv6.h
|
||||
+++ b/include/net/ipv6.h
|
||||
@@ -463,17 +463,7 @@ static inline int ipv6_addr_diff(const s
|
||||
return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
|
||||
}
|
||||
|
||||
-static __inline__ void ipv6_select_ident(struct frag_hdr *fhdr)
|
||||
-{
|
||||
- static u32 ipv6_fragmentation_id = 1;
|
||||
- static DEFINE_SPINLOCK(ip6_id_lock);
|
||||
-
|
||||
- spin_lock_bh(&ip6_id_lock);
|
||||
- fhdr->identification = htonl(ipv6_fragmentation_id);
|
||||
- if (++ipv6_fragmentation_id == 0)
|
||||
- ipv6_fragmentation_id = 1;
|
||||
- spin_unlock_bh(&ip6_id_lock);
|
||||
-}
|
||||
+extern void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt);
|
||||
|
||||
/*
|
||||
* Prototypes exported by ipv6
|
||||
--- a/include/net/transp_v6.h
|
||||
+++ b/include/net/transp_v6.h
|
||||
@@ -14,6 +14,8 @@ extern struct proto tcpv6_prot;
|
||||
|
||||
struct flowi;
|
||||
|
||||
+extern void initialize_hashidentrnd(void);
|
||||
+
|
||||
/* extention headers */
|
||||
extern int ipv6_exthdrs_init(void);
|
||||
extern void ipv6_exthdrs_exit(void);
|
||||
--- a/net/ipv6/af_inet6.c
|
||||
+++ b/net/ipv6/af_inet6.c
|
||||
@@ -1078,6 +1078,8 @@ static int __init inet6_init(void)
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ initialize_hashidentrnd();
|
||||
+
|
||||
err = proto_register(&tcpv6_prot, 1);
|
||||
if (err)
|
||||
goto out;
|
||||
--- a/net/ipv6/ip6_output.c
|
||||
+++ b/net/ipv6/ip6_output.c
|
||||
@@ -596,6 +596,35 @@ int ip6_find_1stfragopt(struct sk_buff *
|
||||
return offset;
|
||||
}
|
||||
|
||||
+static u32 hashidentrnd __read_mostly;
|
||||
+#define FID_HASH_SZ 16
|
||||
+static u32 ipv6_fragmentation_id[FID_HASH_SZ];
|
||||
+
|
||||
+void __init initialize_hashidentrnd(void)
|
||||
+{
|
||||
+ get_random_bytes(&hashidentrnd, sizeof(hashidentrnd));
|
||||
+}
|
||||
+
|
||||
+static u32 __ipv6_select_ident(const struct in6_addr *addr)
|
||||
+{
|
||||
+ u32 newid, oldid, hash = jhash2((u32 *)addr, 4, hashidentrnd);
|
||||
+ u32 *pid = &ipv6_fragmentation_id[hash % FID_HASH_SZ];
|
||||
+
|
||||
+ do {
|
||||
+ oldid = *pid;
|
||||
+ newid = oldid + 1;
|
||||
+ if (!(hash + newid))
|
||||
+ newid++;
|
||||
+ } while (cmpxchg(pid, oldid, newid) != oldid);
|
||||
+
|
||||
+ return hash + newid;
|
||||
+}
|
||||
+
|
||||
+void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
|
||||
+{
|
||||
+ fhdr->identification = htonl(__ipv6_select_ident(&rt->rt6i_dst.addr));
|
||||
+}
|
||||
+
|
||||
static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
|
||||
{
|
||||
struct sk_buff *frag;
|
||||
@@ -680,7 +709,7 @@ int ip6_fragment(struct sk_buff *skb, in
|
||||
skb_reset_network_header(skb);
|
||||
memcpy(skb_network_header(skb), tmp_hdr, hlen);
|
||||
|
||||
- ipv6_select_ident(fh);
|
||||
+ ipv6_select_ident(fh, rt);
|
||||
fh->nexthdr = nexthdr;
|
||||
fh->reserved = 0;
|
||||
fh->frag_off = htons(IP6_MF);
|
||||
@@ -826,7 +855,7 @@ slow_path:
|
||||
fh->nexthdr = nexthdr;
|
||||
fh->reserved = 0;
|
||||
if (!frag_id) {
|
||||
- ipv6_select_ident(fh);
|
||||
+ ipv6_select_ident(fh, rt);
|
||||
frag_id = fh->identification;
|
||||
} else
|
||||
fh->identification = frag_id;
|
||||
@@ -1072,7 +1101,8 @@ static inline int ip6_ufo_append_data(st
|
||||
int getfrag(void *from, char *to, int offset, int len,
|
||||
int odd, struct sk_buff *skb),
|
||||
void *from, int length, int hh_len, int fragheaderlen,
|
||||
- int transhdrlen, int mtu,unsigned int flags)
|
||||
+ int transhdrlen, int mtu,unsigned int flags,
|
||||
+ struct rt6_info *rt)
|
||||
|
||||
{
|
||||
struct sk_buff *skb;
|
||||
@@ -1116,7 +1146,7 @@ static inline int ip6_ufo_append_data(st
|
||||
skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
|
||||
sizeof(struct frag_hdr)) & ~7;
|
||||
skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
|
||||
- ipv6_select_ident(&fhdr);
|
||||
+ ipv6_select_ident(&fhdr, rt);
|
||||
skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
|
||||
__skb_queue_tail(&sk->sk_write_queue, skb);
|
||||
|
||||
@@ -1282,7 +1312,7 @@ int ip6_append_data(struct sock *sk, int
|
||||
|
||||
err = ip6_ufo_append_data(sk, getfrag, from, length,
|
||||
hh_len, fragheaderlen,
|
||||
- transhdrlen, mtu, flags);
|
||||
+ transhdrlen, mtu, flags, rt);
|
||||
if (err)
|
||||
goto error;
|
||||
return 0;
|
||||
--- a/net/ipv6/udp.c
|
||||
+++ b/net/ipv6/udp.c
|
||||
@@ -1359,7 +1359,7 @@ static struct sk_buff *udp6_ufo_fragment
|
||||
fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
|
||||
fptr->nexthdr = nexthdr;
|
||||
fptr->reserved = 0;
|
||||
- ipv6_select_ident(fptr);
|
||||
+ ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb));
|
||||
|
||||
/* Fragment the skb. ipv6 header and the remaining fields of the
|
||||
* fragment header are updated in ipv6_gso_segment()
|
|
@ -844,6 +844,8 @@ Patch14011: ext4-fix-max-file-size-and-logical-block-counting-of-extent-format-f
|
|||
Patch14012: bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
|
||||
# CVE-2011-2517
|
||||
Patch14013: nl80211-fix-overflow-in-ssid_len.patch.patch
|
||||
# CVE-2011-2699
|
||||
Patch14014: ipv6-make-fragment-identifications-less-predictable.patch
|
||||
|
||||
%endif
|
||||
|
||||
|
@ -1588,6 +1590,8 @@ ApplyPatch ext4-fix-max-file-size-and-logical-block-counting-of-extent-format-fi
|
|||
ApplyPatch bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
|
||||
# CVE-2011-2517
|
||||
ApplyPatch nl80211-fix-overflow-in-ssid_len.patch.patch
|
||||
# CVE-2011-2699
|
||||
ApplyPatch ipv6-make-fragment-identifications-less-predictable.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
@ -2180,6 +2184,7 @@ fi
|
|||
- CVE-2011-2695: ext4: kernel panic when writing data to the last block of sparse file
|
||||
- CVE-2011-2497: bluetooth: buffer overflow in l2cap config request
|
||||
- CVE-2011-2517: nl80211: missing check for valid SSID size in scan operations
|
||||
- CVE-2011-2699: ipv6: make fragment identifications less predictable
|
||||
|
||||
* Wed Aug 03 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.35.14-94
|
||||
- Linux 2.6.35.14
|
||||
|
|
Loading…
Reference in New Issue