kernel-ipv6: CVE-2015-2922

Fixes denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2922 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=ac12ff18b11259e10c2d543aa58c73ff88a68e77 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Huimin She <huimin.she@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-03-09 07:37:31 +0100
committer: Huimin She <huimin.she@enea.com> 2016-03-10 15:01:43 +0100
commit: 0f8f654b183e41fed39e2eaa91b7dcb3a9e2086e (patch)
tree: 85db41980adcbc878551b82825cc87613d22e917
parent: 7e15834edfd7f1a4bed0555440b7db97c2b1198e (diff)
download: meta-enea-0f8f654b183e41fed39e2eaa91b7dcb3a9e2086e.tar.gz
2 files changed, 56 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-2922.patch b/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-2922.patch
new file mode 100644
index 0000000..38eb360
--- /dev/null
+++ b/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-2922.patch
@@ -0,0 +1,55 @@
+From ac12ff18b11259e10c2d543aa58c73ff88a68e77 Mon Sep 17 00:00:00 2001
+From: "D.S. Ljungmark" <ljungmark@modio.se>
+Date: Wed, 25 Mar 2015 09:28:15 +0100
+Subject: ipv6: Don't reduce hop limit for an interface
+[ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ]
+A local route may have a lower hop_limit set than global routes do.
+RFC 3756, Section 4.2.7, "Parameter Spoofing"
+>   1.  The attacker includes a Current Hop Limit of one or another small
+>       number which the attacker knows will cause legitimate packets to
+>       be dropped before they reach their destination.
+>   As an example, one possible approach to mitigate this threat is to
+>   ignore very small hop limits.  The nodes could implement a
+>   configurable minimum hop limit, and ignore attempts to set it below
+>   said limit.
+Fixes CVE-2015-2922.
+Upstream-Status: Backport
+Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/ipv6/ndisc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index f8a55ff..fda5d95 100644
+--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
+@@ -1191,7 +1191,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
+        if (rt)
+                rt6_set_expires(rt, jiffies + (HZ * lifetime));
+        if (ra_msg->icmph.icmp6_hop_limit) {
+-               in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
+               /* Only set hop_limit on the interface if it is higher than
+                * the current hop_limit.
+                */
+               if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
+                       in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
+               } else {
+                       ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
+               }
+                if (rt)
+                        dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
+                                       ra_msg->icmph.icmp6_hop_limit);
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc
index 9052358..504bbfc 100644
--- a/recipes-kernel/linux/linux-qoriq-common.inc
+++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -23,6 +23,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
    file://net-rds-CVE-2015-2042.patch \
    file://drivers-scsi-CVE-2015-5707.patch \
    file://vhost-CVE-2015-6252.patch \
+    file://CVE-2015-2922.patch \
    "
 SRC_URI += "file://cfg/00013-localversion.cfg \
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-03-09 07:37:31 +0100
committer	Huimin She <huimin.she@enea.com>	2016-03-10 15:01:43 +0100
commit	0f8f654b183e41fed39e2eaa91b7dcb3a9e2086e (patch)
tree	85db41980adcbc878551b82825cc87613d22e917
parent	7e15834edfd7f1a4bed0555440b7db97c2b1198e (diff)
download	meta-enea-0f8f654b183e41fed39e2eaa91b7dcb3a9e2086e.tar.gz

diff --git a/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-2922.patch b/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-2922.patch new file mode 100644 index 0000000..38eb360 --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-2922.patch
@@ -0,0 +1,55 @@
		1	From ac12ff18b11259e10c2d543aa58c73ff88a68e77 Mon Sep 17 00:00:00 2001
		2	From: "D.S. Ljungmark" <ljungmark@modio.se>
		3	Date: Wed, 25 Mar 2015 09:28:15 +0100
		4	Subject: ipv6: Don't reduce hop limit for an interface
		5
		6	[ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ]
		7
		8	A local route may have a lower hop_limit set than global routes do.
		9
		10	RFC 3756, Section 4.2.7, "Parameter Spoofing"
		11
		12	> 1. The attacker includes a Current Hop Limit of one or another small
		13	> number which the attacker knows will cause legitimate packets to
		14	> be dropped before they reach their destination.
		15
		16	> As an example, one possible approach to mitigate this threat is to
		17	> ignore very small hop limits. The nodes could implement a
		18	> configurable minimum hop limit, and ignore attempts to set it below
		19	> said limit.
		20
		21	Fixes CVE-2015-2922.
		22	Upstream-Status: Backport
		23
		24	Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
		25	Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
		26	Signed-off-by: David S. Miller <davem@davemloft.net>
		27	Signed-off-by: Jiri Slaby <jslaby@suse.cz>
		28	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		29	---
		30	net/ipv6/ndisc.c \| 9 ++++++++-
		31	1 file changed, 8 insertions(+), 1 deletion(-)
		32
		33	diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
		34	index f8a55ff..fda5d95 100644
		35	--- a/net/ipv6/ndisc.c
		36	+++ b/net/ipv6/ndisc.c
		37	@@ -1191,7 +1191,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
		38	if (rt)
		39	rt6_set_expires(rt, jiffies + (HZ * lifetime));
		40	if (ra_msg->icmph.icmp6_hop_limit) {
		41	- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
		42	+ /* Only set hop_limit on the interface if it is higher than
		43	+ * the current hop_limit.
		44	+ */
		45	+ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
		46	+ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
		47	+ } else {
		48	+ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
		49	+ }
		50	if (rt)
		51	dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
		52	ra_msg->icmph.icmp6_hop_limit);
		53	--
		54	cgit v0.12
		55


diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc index 9052358..504bbfc 100644 --- a/recipes-kernel/linux/linux-qoriq-common.inc +++ b/recipes-kernel/linux/linux-qoriq-common.inc
@@ -23,6 +23,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \
23	file://net-rds-CVE-2015-2042.patch \	23	file://net-rds-CVE-2015-2042.patch \
24	file://drivers-scsi-CVE-2015-5707.patch \	24	file://drivers-scsi-CVE-2015-5707.patch \
25	file://vhost-CVE-2015-6252.patch \	25	file://vhost-CVE-2015-6252.patch \
		26	file://CVE-2015-2922.patch \
26	"	27	"
27		28
28	SRC_URI += "file://cfg/00013-localversion.cfg \	29	SRC_URI += "file://cfg/00013-localversion.cfg \