kernel-net: CVE-2015-1465

Fixes DoS due to routing packets to too many different
dsts/too fast.
A remote attacker can use this flaw to crash the system.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1465
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1465

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=ee6db0ad53c9805d31bd1b0b7c9ea901407dfc19

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>

2 files changed, 108 insertions, 0 deletions

diff --git a/recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch b/recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch
new file mode 100644
index 0000000..f0b9310
--- /dev/null
+++ b/recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch
@@ -0,0 +1,107 @@
+From ee6db0ad53c9805d31bd1b0b7c9ea901407dfc19 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri, 23 Jan 2015 12:01:26 +0100
+Subject: ipv4: try to cache dst_entries which would cause a redirect
+
+[ Upstream commit df4d92549f23e1c037e83323aff58a21b3de7fe0 ]
+
+Not caching dst_entries which cause redirects could be exploited by hosts
+on the same subnet, causing a severe DoS attack. This effect aggravated
+since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()").
+
+Lookups causing redirects will be allocated with DST_NOCACHE set which
+will force dst_release to free them via RCU.  Unfortunately waiting for
+RCU grace period just takes too long, we can end up with >1M dst_entries
+waiting to be released and the system will run OOM. rcuos threads cannot
+catch up under high softirq load.
+
+Attaching the flag to emit a redirect later on to the specific skb allows
+us to cache those dst_entries thus reducing the pressure on allocation
+and deallocation.
+
+This issue was discovered by Marcelo Leitner.
+
+Fixes CVE-2015-1465.
+Upstream-Status: Backport
+
+Cc: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ include/net/ip.h      | 11 ++++++-----
+ net/ipv4/ip_forward.c |  3 ++-
+ net/ipv4/route.c      |  9 +++++----
+ 3 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 937f196..f088c36 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -38,11 +38,12 @@ struct inet_skb_parm {
+        struct ip_options       opt;            /* Compiled IP options          */
+        unsigned char           flags;
+ 
+-#define IPSKB_FORWARDED                1
+-#define IPSKB_XFRM_TUNNEL_SIZE 2
+-#define IPSKB_XFRM_TRANSFORMED 4
+-#define IPSKB_FRAG_COMPLETE    8
+-#define IPSKB_REROUTED         16
++#define IPSKB_FORWARDED                BIT(0)
++#define IPSKB_XFRM_TUNNEL_SIZE BIT(1)
++#define IPSKB_XFRM_TRANSFORMED BIT(2)
++#define IPSKB_FRAG_COMPLETE    BIT(3)
++#define IPSKB_REROUTED         BIT(4)
++#define IPSKB_DOREDIRECT       BIT(5)
+ 
+        u16                     frag_max_size;
+ };
+diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
+index 1c6bd43..ecb34b5 100644
+--- a/net/ipv4/ip_forward.c
++++ b/net/ipv4/ip_forward.c
+@@ -178,7 +178,8 @@ int ip_forward(struct sk_buff *skb)
+         *      We now generate an ICMP HOST REDIRECT giving the route
+         *      we calculated.
+         */
+-       if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb_sec_path(skb))
++       if (IPCB(skb)->flags & IPSKB_DOREDIRECT && !opt->srr &&
++           !skb_sec_path(skb))
+                ip_rt_send_redirect(skb);
+ 
+        skb->priority = rt_tos2priority(iph->tos);
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 487bb62..b64330f 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1554,11 +1554,10 @@ static int __mkroute_input(struct sk_buff *skb,
+ 
+        do_cache = res->fi && !itag;
+        if (out_dev == in_dev && err && IN_DEV_TX_REDIRECTS(out_dev) &&
++           skb->protocol == htons(ETH_P_IP) &&
+            (IN_DEV_SHARED_MEDIA(out_dev) ||
+-            inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res)))) {
+-               flags |= RTCF_DOREDIRECT;
+-               do_cache = false;
+-       }
++            inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res))))
++               IPCB(skb)->flags |= IPSKB_DOREDIRECT;
+ 
+        if (skb->protocol != htons(ETH_P_IP)) {
+                /* Not IP (i.e. ARP). Do not create route, if it is
+@@ -2305,6 +2304,8 @@ static int rt_fill_info(struct net *net,  __be32 dst, __be32 src,
+        r->rtm_flags    = (rt->rt_flags & ~0xFFFF) | RTM_F_CLONED;
+        if (rt->rt_flags & RTCF_NOTIFY)
+                r->rtm_flags |= RTM_F_NOTIFY;
++       if (IPCB(skb)->flags & IPSKB_DOREDIRECT)
++               r->rtm_flags |= RTCF_DOREDIRECT;
+ 
+        if (nla_put_be32(skb, RTA_DST, dst))
+                goto nla_put_failure;
+-- 
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index f865fcb..326066a 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -11,4 +11,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
             file://drivers-scsi-CVE-2015-5707.patch \
             file://md-CVE-2015-5697.patch \
             file://vhost-CVE-2015-6252.patch \
+            file://ipv4-CVE-2015-1465.patch \
            "