CVE-2013-2232 ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg (rhbz 981552 981564)
This commit is contained in:
Josh Boyer
parent
26edf9ecd2
commit
e39d89beef
|
|
@ -0,0 +1,52 @@
|
|||
From a963a37d384d71ad43b3e9e79d68d42fbe0901f3 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Wed, 26 Jun 2013 04:15:07 -0700
|
||||
Subject: [PATCH] ipv6: ip6_sk_dst_check() must not assume ipv6 dst
|
||||
|
||||
It's possible to use AF_INET6 sockets and to connect to an IPv4
|
||||
destination. After this, socket dst cache is a pointer to a rtable,
|
||||
not rt6_info.
|
||||
|
||||
ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
|
||||
various corruptions/crashes can happen.
|
||||
|
||||
Dave Jones can reproduce immediate crash with
|
||||
trinity -q -l off -n -c sendmsg -c connect
|
||||
|
||||
With help from Hannes Frederic Sowa
|
||||
|
||||
Reported-by: Dave Jones <davej@redhat.com>
|
||||
Reported-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/ip6_output.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
|
||||
index 95703ba..d5d20cd 100644
|
||||
--- a/net/ipv6/ip6_output.c
|
||||
+++ b/net/ipv6/ip6_output.c
|
||||
@@ -821,11 +821,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
|
||||
const struct flowi6 *fl6)
|
||||
{
|
||||
struct ipv6_pinfo *np = inet6_sk(sk);
|
||||
- struct rt6_info *rt = (struct rt6_info *)dst;
|
||||
+ struct rt6_info *rt;
|
||||
|
||||
if (!dst)
|
||||
goto out;
|
||||
|
||||
+ if (dst->ops->family != AF_INET6) {
|
||||
+ dst_release(dst);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ rt = (struct rt6_info *)dst;
|
||||
/* Yes, checking route validity in not connected
|
||||
* case is not very simple. Take into account,
|
||||
* that we do not support routing by source, TOS,
|
||||
--
|
||||
1.8.2.1
|
||||
|
||||
|
|
@ -778,6 +778,9 @@ Patch25058: af_key-fix-info-leaks-in-notify-messages.patch
|
|||
#CVE-2013-1059 rhbz 977356 980341
|
||||
Patch25059: ceph-fix.patch
|
||||
|
||||
#CVE-2013-2232 rhbz 981552 981564
|
||||
Patch25060: ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -1510,6 +1513,9 @@ ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch
|
|||
#CVE-2013-1059 rhbz 977356 980341
|
||||
ApplyPatch ceph-fix.patch
|
||||
|
||||
#CVE-2013-2232 rhbz 981552 981564
|
||||
ApplyPatch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2361,6 +2367,9 @@ fi
|
|||
# '-' | |
|
||||
# '-'
|
||||
%changelog
|
||||
* Fri Jul 05 2013 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2013-2232 ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg (rhbz 981552 981564)
|
||||
|
||||
* Wed Jul 03 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.9-100
|
||||
- CVE-2013-1059 libceph: Fix NULL pointer dereference in auth client code (rhbz 977356 980341)
|
||||
- CVE-2013-2234 net: information leak in AF_KEY notify (rhbz 980995 981007)
|
||||
|
|
|
|||
Loading…
Reference in New Issue