Linux v3.11-rc6-139-g89b53e5
This commit is contained in:
Josh Boyer
parent
afae503733
commit
e19bf2ec8e
|
|
@ -1,60 +0,0 @@
|
|||
From 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Fri, 16 Aug 2013 11:02:27 +0000
|
||||
Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr
|
||||
|
||||
Because of the max_addresses check attackers were able to disable privacy
|
||||
extensions on an interface by creating enough autoconfigured addresses:
|
||||
|
||||
<http://seclists.org/oss-sec/2012/q4/292>
|
||||
|
||||
But the check is not actually needed: max_addresses protects the
|
||||
kernel to install too many ipv6 addresses on an interface and guards
|
||||
addrconf_prefix_rcv to install further addresses as soon as this limit
|
||||
is reached. We only generate temporary addresses in direct response of
|
||||
a new address showing up. As soon as we filled up the maximum number of
|
||||
addresses of an interface, we stop installing more addresses and thus
|
||||
also stop generating more temp addresses.
|
||||
|
||||
Even if the attacker tries to generate a lot of temporary addresses
|
||||
by announcing a prefix and removing it again (lifetime == 0) we won't
|
||||
install more temp addresses, because the temporary addresses do count
|
||||
to the maximum number of addresses, thus we would stop installing new
|
||||
autoconfigured addresses when the limit is reached.
|
||||
|
||||
This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
|
||||
possible).
|
||||
|
||||
Thanks to Ding Tianhong to bring this topic up again.
|
||||
|
||||
Cc: Ding Tianhong <dingtianhong@huawei.com>
|
||||
Cc: George Kargiotakis <kargig@void.gr>
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Acked-by: Ding Tianhong <dingtianhong@huawei.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
|
||||
index da4241c..498ea99 100644
|
||||
--- a/net/ipv6/addrconf.c
|
||||
+++ b/net/ipv6/addrconf.c
|
||||
@@ -1126,12 +1126,10 @@ retry:
|
||||
if (ifp->flags & IFA_F_OPTIMISTIC)
|
||||
addr_flags |= IFA_F_OPTIMISTIC;
|
||||
|
||||
- ift = !max_addresses ||
|
||||
- ipv6_count_addresses(idev) < max_addresses ?
|
||||
- ipv6_add_addr(idev, &addr, NULL, tmp_plen,
|
||||
- ipv6_addr_scope(&addr), addr_flags,
|
||||
- tmp_valid_lft, tmp_prefered_lft) : NULL;
|
||||
- if (IS_ERR_OR_NULL(ift)) {
|
||||
+ ift = ipv6_add_addr(idev, &addr, NULL, tmp_plen,
|
||||
+ ipv6_addr_scope(&addr), addr_flags,
|
||||
+ tmp_valid_lft, tmp_prefered_lft);
|
||||
+ if (IS_ERR(ift)) {
|
||||
in6_ifa_put(ifp);
|
||||
in6_dev_put(idev);
|
||||
pr_info("%s: retry temporary address regeneration\n", __func__);
|
||||
--
|
||||
cgit v0.9.2
|
||||
|
|
@ -1,58 +0,0 @@
|
|||
If channel switch is pending and we remove interface we can
|
||||
crash like showed below due to passing NULL vif to mac80211:
|
||||
|
||||
BUG: unable to handle kernel paging request at fffffffffffff8cc
|
||||
IP: [<ffffffff8130924d>] strnlen+0xd/0x40
|
||||
Call Trace:
|
||||
[<ffffffff8130ad2e>] string.isra.3+0x3e/0xd0
|
||||
[<ffffffff8130bf99>] vsnprintf+0x219/0x640
|
||||
[<ffffffff8130c481>] vscnprintf+0x11/0x30
|
||||
[<ffffffff81061585>] vprintk_emit+0x115/0x4f0
|
||||
[<ffffffff81657bd5>] printk+0x61/0x63
|
||||
[<ffffffffa048987f>] ieee80211_chswitch_done+0xaf/0xd0 [mac80211]
|
||||
[<ffffffffa04e7b34>] iwl_chswitch_done+0x34/0x40 [iwldvm]
|
||||
[<ffffffffa04f83c3>] iwlagn_commit_rxon+0x2a3/0xdc0 [iwldvm]
|
||||
[<ffffffffa04ebc50>] ? iwlagn_set_rxon_chain+0x180/0x2c0 [iwldvm]
|
||||
[<ffffffffa04e5e76>] iwl_set_mode+0x36/0x40 [iwldvm]
|
||||
[<ffffffffa04e5f0d>] iwlagn_mac_remove_interface+0x8d/0x1b0 [iwldvm]
|
||||
[<ffffffffa0459b3d>] ieee80211_do_stop+0x29d/0x7f0 [mac80211]
|
||||
|
||||
This is because we nulify ctx->vif in iwlagn_mac_remove_interface()
|
||||
before calling some other functions that teardown interface. To fix
|
||||
just check ctx->vif on iwl_chswitch_done(). We should not call
|
||||
ieee80211_chswitch_done() as channel switch works were already canceled
|
||||
by mac80211 in ieee80211_do_stop() -> ieee80211_mgd_stop().
|
||||
|
||||
Resolve:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=979581
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Lukasz Jagiello <jagiello.lukasz@gmail.com>
|
||||
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
|
||||
---
|
||||
drivers/net/wireless/iwlwifi/dvm/mac80211.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
|
||||
index 323e4a3..9a817df 100644
|
||||
--- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c
|
||||
+++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
|
||||
@@ -1046,7 +1046,10 @@ void iwl_chswitch_done(struct iwl_priv *priv, bool is_success)
|
||||
if (test_bit(STATUS_EXIT_PENDING, &priv->status))
|
||||
return;
|
||||
|
||||
- if (test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status))
|
||||
+ if (!test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status))
|
||||
+ return;
|
||||
+
|
||||
+ if (ctx->vif)
|
||||
ieee80211_chswitch_done(ctx->vif, is_success);
|
||||
}
|
||||
|
||||
--
|
||||
1.7.11.7
|
||||
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
17
kernel.spec
17
kernel.spec
|
|
@ -95,7 +95,7 @@ Summary: The Linux kernel
|
|||
# The rc snapshot level
|
||||
%define rcrev 6
|
||||
# The git snapshot level
|
||||
%define gitrev 3
|
||||
%define gitrev 4
|
||||
# Set rpm version accordingly
|
||||
%define rpmversion 3.%{upstream_sublevel}.0
|
||||
%endif
|
||||
|
|
@ -740,15 +740,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
|||
Patch25056: iwl3945-better-skb-management-in-rx-path.patch
|
||||
Patch25057: iwl4965-better-skb-management-in-rx-path.patch
|
||||
|
||||
#rhbz 979581
|
||||
Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
|
||||
|
||||
#rhbz 963715
|
||||
Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||
|
||||
#CVE-2013-0343 rhbz 914664 999380
|
||||
Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
|
||||
|
||||
#rhbz 989269
|
||||
Patch25079: mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch
|
||||
|
||||
|
|
@ -1445,15 +1439,9 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
|||
ApplyPatch iwl3945-better-skb-management-in-rx-path.patch
|
||||
ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
|
||||
|
||||
#rhbz 979581
|
||||
ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
|
||||
|
||||
#rhbz 963715
|
||||
ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||
|
||||
#CVE-2013-0343 rhbz 914664 999380
|
||||
ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
|
||||
|
||||
#rhbz 989269
|
||||
ApplyPatch mac80211-add-a-flag-to-indicate-CCK-support-for-HT-clients.patch
|
||||
|
||||
|
|
@ -2250,6 +2238,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Fri Aug 23 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git4.1
|
||||
- Linux v3.11-rc6-139-g89b53e5
|
||||
|
||||
* Fri Aug 23 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git3.1
|
||||
- Linux v3.11-rc6-76-g6a7492a
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue