Linux v3.10.12
This commit is contained in:
Justin M. Forbes
parent
cddf6d836f
commit
ef6fcfd7b8
|
|
@ -1,63 +0,0 @@
|
|||
From 2712c283acc085b5438fa1b22053423a0158468d Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Fri, 16 Aug 2013 11:02:27 +0000
|
||||
Subject: [PATCH] ipv6: remove max_addresses check from ipv6_create_tempaddr
|
||||
|
||||
Because of the max_addresses check attackers were able to disable privacy
|
||||
extensions on an interface by creating enough autoconfigured addresses:
|
||||
|
||||
<http://seclists.org/oss-sec/2012/q4/292>
|
||||
|
||||
But the check is not actually needed: max_addresses protects the
|
||||
kernel to install too many ipv6 addresses on an interface and guards
|
||||
addrconf_prefix_rcv to install further addresses as soon as this limit
|
||||
is reached. We only generate temporary addresses in direct response of
|
||||
a new address showing up. As soon as we filled up the maximum number of
|
||||
addresses of an interface, we stop installing more addresses and thus
|
||||
also stop generating more temp addresses.
|
||||
|
||||
Even if the attacker tries to generate a lot of temporary addresses
|
||||
by announcing a prefix and removing it again (lifetime == 0) we won't
|
||||
install more temp addresses, because the temporary addresses do count
|
||||
to the maximum number of addresses, thus we would stop installing new
|
||||
autoconfigured addresses when the limit is reached.
|
||||
|
||||
This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
|
||||
possible).
|
||||
|
||||
Thanks to Ding Tianhong to bring this topic up again.
|
||||
|
||||
Cc: Ding Tianhong <dingtianhong@huawei.com>
|
||||
Cc: George Kargiotakis <kargig@void.gr>
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Acked-by: Ding Tianhong <dingtianhong@huawei.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/addrconf.c | 8 +++-----
|
||||
1 file changed, 3 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
|
||||
index fb8c94c..21b7a87 100644
|
||||
--- a/net/ipv6/addrconf.c
|
||||
+++ b/net/ipv6/addrconf.c
|
||||
@@ -1124,12 +1124,10 @@ retry:
|
||||
if (ifp->flags & IFA_F_OPTIMISTIC)
|
||||
addr_flags |= IFA_F_OPTIMISTIC;
|
||||
|
||||
- ift = !max_addresses ||
|
||||
- ipv6_count_addresses(idev) < max_addresses ?
|
||||
- ipv6_add_addr(idev, &addr, tmp_plen,
|
||||
+ ift = ipv6_add_addr(idev, &addr, tmp_plen,
|
||||
ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
|
||||
- addr_flags) : NULL;
|
||||
- if (IS_ERR_OR_NULL(ift)) {
|
||||
+ addr_flags);
|
||||
+ if (IS_ERR(ift)) {
|
||||
in6_ifa_put(ifp);
|
||||
in6_dev_put(idev);
|
||||
pr_info("%s: retry temporary address regeneration\n", __func__);
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
11
kernel.spec
11
kernel.spec
|
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 11
|
||||
%define stable_update 12
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
|
@ -766,9 +766,6 @@ Patch25070: Input-elantech-fix-for-newer-hardware-versions-v7.patch
|
|||
#rhbz 963715
|
||||
Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||
|
||||
#CVE-2013-0343 rhbz 914664 999380
|
||||
Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
|
||||
|
||||
#rhbz 1000679
|
||||
Patch25079: rt2800-rearrange-bbp-rfcsr-initialization.patch
|
||||
|
||||
|
|
@ -1489,9 +1486,6 @@ ApplyPatch Input-elantech-fix-for-newer-hardware-versions-v7.patch
|
|||
#rhbz 963715
|
||||
ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||
|
||||
#CVE-2013-0343 rhbz 914664 999380
|
||||
ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
|
||||
|
||||
#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548
|
||||
#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570
|
||||
#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579
|
||||
|
|
@ -2352,6 +2346,9 @@ fi
|
|||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Mon Sep 16 2013 Justin M. Forbes <jforbes@fedoraproject.org> 3.10.12-100
|
||||
- Linux v3.10.12
|
||||
|
||||
* Fri Sep 13 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2013-4350 net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit (rhbz 1007872 1007903)
|
||||
- CVE-2013-4343 net: use-after-free TUNSETIFF (rhbz 1007733 1007741)
|
||||
|
|
|
|||
Loading…
Reference in New Issue