diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-05 13:33:12 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-01-05 15:34:49 +0100 |
commit | 1379026b984e169a3bb8745b09f1000cae2d9535 (patch) | |
tree | f90f24dc8361e4913d3f78b2023c3a7a918a2a83 | |
parent | 112edaf87ad6789f56dde1aafb4ce61a14757705 (diff) | |
download | meta-enea-1379026b984e169a3bb8745b09f1000cae2d9535.tar.gz |
kernel-net: CVE-2015-1465
Fixes DoS due to routing packets to too many different
dsts/too fast.
A remote attacker can use this flaw to crash the system.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1465
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1465
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=ee6db0ad53c9805d31bd1b0b7c9ea901407dfc19
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch | 107 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
2 files changed, 108 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch b/recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch new file mode 100644 index 0000000..f0b9310 --- /dev/null +++ b/recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch | |||
@@ -0,0 +1,107 @@ | |||
1 | From ee6db0ad53c9805d31bd1b0b7c9ea901407dfc19 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hannes Frederic Sowa <hannes@stressinduktion.org> | ||
3 | Date: Fri, 23 Jan 2015 12:01:26 +0100 | ||
4 | Subject: ipv4: try to cache dst_entries which would cause a redirect | ||
5 | |||
6 | [ Upstream commit df4d92549f23e1c037e83323aff58a21b3de7fe0 ] | ||
7 | |||
8 | Not caching dst_entries which cause redirects could be exploited by hosts | ||
9 | on the same subnet, causing a severe DoS attack. This effect aggravated | ||
10 | since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()"). | ||
11 | |||
12 | Lookups causing redirects will be allocated with DST_NOCACHE set which | ||
13 | will force dst_release to free them via RCU. Unfortunately waiting for | ||
14 | RCU grace period just takes too long, we can end up with >1M dst_entries | ||
15 | waiting to be released and the system will run OOM. rcuos threads cannot | ||
16 | catch up under high softirq load. | ||
17 | |||
18 | Attaching the flag to emit a redirect later on to the specific skb allows | ||
19 | us to cache those dst_entries thus reducing the pressure on allocation | ||
20 | and deallocation. | ||
21 | |||
22 | This issue was discovered by Marcelo Leitner. | ||
23 | |||
24 | Fixes CVE-2015-1465. | ||
25 | Upstream-Status: Backport | ||
26 | |||
27 | Cc: Julian Anastasov <ja@ssi.bg> | ||
28 | Signed-off-by: Marcelo Leitner <mleitner@redhat.com> | ||
29 | Signed-off-by: Florian Westphal <fw@strlen.de> | ||
30 | Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> | ||
31 | Signed-off-by: Julian Anastasov <ja@ssi.bg> | ||
32 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
33 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
34 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
35 | --- | ||
36 | include/net/ip.h | 11 ++++++----- | ||
37 | net/ipv4/ip_forward.c | 3 ++- | ||
38 | net/ipv4/route.c | 9 +++++---- | ||
39 | 3 files changed, 13 insertions(+), 10 deletions(-) | ||
40 | |||
41 | diff --git a/include/net/ip.h b/include/net/ip.h | ||
42 | index 937f196..f088c36 100644 | ||
43 | --- a/include/net/ip.h | ||
44 | +++ b/include/net/ip.h | ||
45 | @@ -38,11 +38,12 @@ struct inet_skb_parm { | ||
46 | struct ip_options opt; /* Compiled IP options */ | ||
47 | unsigned char flags; | ||
48 | |||
49 | -#define IPSKB_FORWARDED 1 | ||
50 | -#define IPSKB_XFRM_TUNNEL_SIZE 2 | ||
51 | -#define IPSKB_XFRM_TRANSFORMED 4 | ||
52 | -#define IPSKB_FRAG_COMPLETE 8 | ||
53 | -#define IPSKB_REROUTED 16 | ||
54 | +#define IPSKB_FORWARDED BIT(0) | ||
55 | +#define IPSKB_XFRM_TUNNEL_SIZE BIT(1) | ||
56 | +#define IPSKB_XFRM_TRANSFORMED BIT(2) | ||
57 | +#define IPSKB_FRAG_COMPLETE BIT(3) | ||
58 | +#define IPSKB_REROUTED BIT(4) | ||
59 | +#define IPSKB_DOREDIRECT BIT(5) | ||
60 | |||
61 | u16 frag_max_size; | ||
62 | }; | ||
63 | diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c | ||
64 | index 1c6bd43..ecb34b5 100644 | ||
65 | --- a/net/ipv4/ip_forward.c | ||
66 | +++ b/net/ipv4/ip_forward.c | ||
67 | @@ -178,7 +178,8 @@ int ip_forward(struct sk_buff *skb) | ||
68 | * We now generate an ICMP HOST REDIRECT giving the route | ||
69 | * we calculated. | ||
70 | */ | ||
71 | - if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb_sec_path(skb)) | ||
72 | + if (IPCB(skb)->flags & IPSKB_DOREDIRECT && !opt->srr && | ||
73 | + !skb_sec_path(skb)) | ||
74 | ip_rt_send_redirect(skb); | ||
75 | |||
76 | skb->priority = rt_tos2priority(iph->tos); | ||
77 | diff --git a/net/ipv4/route.c b/net/ipv4/route.c | ||
78 | index 487bb62..b64330f 100644 | ||
79 | --- a/net/ipv4/route.c | ||
80 | +++ b/net/ipv4/route.c | ||
81 | @@ -1554,11 +1554,10 @@ static int __mkroute_input(struct sk_buff *skb, | ||
82 | |||
83 | do_cache = res->fi && !itag; | ||
84 | if (out_dev == in_dev && err && IN_DEV_TX_REDIRECTS(out_dev) && | ||
85 | + skb->protocol == htons(ETH_P_IP) && | ||
86 | (IN_DEV_SHARED_MEDIA(out_dev) || | ||
87 | - inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res)))) { | ||
88 | - flags |= RTCF_DOREDIRECT; | ||
89 | - do_cache = false; | ||
90 | - } | ||
91 | + inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res)))) | ||
92 | + IPCB(skb)->flags |= IPSKB_DOREDIRECT; | ||
93 | |||
94 | if (skb->protocol != htons(ETH_P_IP)) { | ||
95 | /* Not IP (i.e. ARP). Do not create route, if it is | ||
96 | @@ -2305,6 +2304,8 @@ static int rt_fill_info(struct net *net, __be32 dst, __be32 src, | ||
97 | r->rtm_flags = (rt->rt_flags & ~0xFFFF) | RTM_F_CLONED; | ||
98 | if (rt->rt_flags & RTCF_NOTIFY) | ||
99 | r->rtm_flags |= RTM_F_NOTIFY; | ||
100 | + if (IPCB(skb)->flags & IPSKB_DOREDIRECT) | ||
101 | + r->rtm_flags |= RTCF_DOREDIRECT; | ||
102 | |||
103 | if (nla_put_be32(skb, RTA_DST, dst)) | ||
104 | goto nla_put_failure; | ||
105 | -- | ||
106 | cgit v0.11.2 | ||
107 | |||
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index f865fcb..326066a 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
@@ -11,4 +11,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d | |||
11 | file://drivers-scsi-CVE-2015-5707.patch \ | 11 | file://drivers-scsi-CVE-2015-5707.patch \ |
12 | file://md-CVE-2015-5697.patch \ | 12 | file://md-CVE-2015-5697.patch \ |
13 | file://vhost-CVE-2015-6252.patch \ | 13 | file://vhost-CVE-2015-6252.patch \ |
14 | file://ipv4-CVE-2015-1465.patch \ | ||
14 | " | 15 | " |