kernel-ipv6: CVE-2015-2922

Fixes denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2922 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=01f69adac109867f892f12057660d891b34182f6 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-01-05 13:33:14 +0100
committer: Tudor Florea <tudor.florea@enea.com> 2016-01-05 15:37:17 +0100
commit: cb6adb8c1d780cbaf7f3a3f62716f58790984467 (patch)
tree: 9a36e9ff49552ee91fb795d1453bcb2e953b97de
parent: 6ba834ef50e5bd7debb89528cd129e5d0818e23c (diff)
download: meta-enea-cb6adb8c1d780cbaf7f3a3f62716f58790984467.tar.gz
2 files changed, 55 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch b/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch
new file mode 100644
index 0000000..a02d20f
--- /dev/null
+++ b/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch
@@ -0,0 +1,54 @@
+From 01f69adac109867f892f12057660d891b34182f6 Mon Sep 17 00:00:00 2001
+From: "D.S. Ljungmark" <ljungmark@modio.se>
+Subject: ipv6: Don't reduce hop limit for an interface
+[ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ]
+A local route may have a lower hop_limit set than global routes do.
+RFC 3756, Section 4.2.7, "Parameter Spoofing"
+>   1.  The attacker includes a Current Hop Limit of one or another small
+>       number which the attacker knows will cause legitimate packets to
+>       be dropped before they reach their destination.
+>   As an example, one possible approach to mitigate this threat is to
+>   ignore very small hop limits.  The nodes could implement a
+>   configurable minimum hop limit, and ignore attempts to set it below
+>   said limit.
+Fixes CVE-2015-2922.
+Upstream-Status: Backport
+Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ net/ipv6/ndisc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index 09a22f4..bcd6518 100644
+--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
+@@ -1193,7 +1193,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
+        if (rt)
+                rt6_set_expires(rt, jiffies + (HZ * lifetime));
+        if (ra_msg->icmph.icmp6_hop_limit) {
+-               in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
+               /* Only set hop_limit on the interface if it is higher than
+                * the current hop_limit.
+                */
+               if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
+                       in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
+               } else {
+                       ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
+               }
+                if (rt)
+                        dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
+                                       ra_msg->icmph.icmp6_hop_limit);
+-- 
+cgit v0.11.2
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index 30d6561..7037182 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -13,4 +13,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
            file://vhost-CVE-2015-6252.patch \
            file://ipv4-CVE-2015-1465.patch \
            file://net-rds-CVE-2015-2042.patch \
+            file://ipv6-CVE-2015-2922.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-01-05 13:33:14 +0100
committer	Tudor Florea <tudor.florea@enea.com>	2016-01-05 15:37:17 +0100
commit	cb6adb8c1d780cbaf7f3a3f62716f58790984467 (patch)
tree	9a36e9ff49552ee91fb795d1453bcb2e953b97de
parent	6ba834ef50e5bd7debb89528cd129e5d0818e23c (diff)
download	meta-enea-cb6adb8c1d780cbaf7f3a3f62716f58790984467.tar.gz

diff --git a/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch b/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch new file mode 100644 index 0000000..a02d20f --- /dev/null +++ b/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch
@@ -0,0 +1,54 @@
		1	From 01f69adac109867f892f12057660d891b34182f6 Mon Sep 17 00:00:00 2001
		2	From: "D.S. Ljungmark" <ljungmark@modio.se>
		3	Subject: ipv6: Don't reduce hop limit for an interface
		4
		5	[ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ]
		6
		7	A local route may have a lower hop_limit set than global routes do.
		8
		9	RFC 3756, Section 4.2.7, "Parameter Spoofing"
		10
		11	> 1. The attacker includes a Current Hop Limit of one or another small
		12	> number which the attacker knows will cause legitimate packets to
		13	> be dropped before they reach their destination.
		14
		15	> As an example, one possible approach to mitigate this threat is to
		16	> ignore very small hop limits. The nodes could implement a
		17	> configurable minimum hop limit, and ignore attempts to set it below
		18	> said limit.
		19
		20	Fixes CVE-2015-2922.
		21	Upstream-Status: Backport
		22
		23	Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
		24	Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
		25	Signed-off-by: David S. Miller <davem@davemloft.net>
		26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		27	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		28	---
		29	net/ipv6/ndisc.c \| 9 ++++++++-
		30	1 file changed, 8 insertions(+), 1 deletion(-)
		31
		32	diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
		33	index 09a22f4..bcd6518 100644
		34	--- a/net/ipv6/ndisc.c
		35	+++ b/net/ipv6/ndisc.c
		36	@@ -1193,7 +1193,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
		37	if (rt)
		38	rt6_set_expires(rt, jiffies + (HZ * lifetime));
		39	if (ra_msg->icmph.icmp6_hop_limit) {
		40	- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
		41	+ /* Only set hop_limit on the interface if it is higher than
		42	+ * the current hop_limit.
		43	+ */
		44	+ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) {
		45	+ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit;
		46	+ } else {
		47	+ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n");
		48	+ }
		49	if (rt)
		50	dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
		51	ra_msg->icmph.icmp6_hop_limit);
		52	--
		53	cgit v0.11.2
		54


diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 30d6561..7037182 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -13,4 +13,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
13	file://vhost-CVE-2015-6252.patch \	13	file://vhost-CVE-2015-6252.patch \
14	file://ipv4-CVE-2015-1465.patch \	14	file://ipv4-CVE-2015-1465.patch \
15	file://net-rds-CVE-2015-2042.patch \	15	file://net-rds-CVE-2015-2042.patch \
		16	file://ipv6-CVE-2015-2922.patch \
16	"	17	"