diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-05 13:33:14 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-01-05 15:37:17 +0100 |
commit | cb6adb8c1d780cbaf7f3a3f62716f58790984467 (patch) | |
tree | 9a36e9ff49552ee91fb795d1453bcb2e953b97de | |
parent | 6ba834ef50e5bd7debb89528cd129e5d0818e23c (diff) | |
download | meta-enea-cb6adb8c1d780cbaf7f3a3f62716f58790984467.tar.gz |
kernel-ipv6: CVE-2015-2922
Fixes denial of service (DoS) attack against IPv6 network
stacks due to improper handling of Router Advertisements.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2922
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=01f69adac109867f892f12057660d891b34182f6
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch | 54 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
2 files changed, 55 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch b/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch new file mode 100644 index 0000000..a02d20f --- /dev/null +++ b/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 01f69adac109867f892f12057660d891b34182f6 Mon Sep 17 00:00:00 2001 | ||
2 | From: "D.S. Ljungmark" <ljungmark@modio.se> | ||
3 | Subject: ipv6: Don't reduce hop limit for an interface | ||
4 | |||
5 | [ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ] | ||
6 | |||
7 | A local route may have a lower hop_limit set than global routes do. | ||
8 | |||
9 | RFC 3756, Section 4.2.7, "Parameter Spoofing" | ||
10 | |||
11 | > 1. The attacker includes a Current Hop Limit of one or another small | ||
12 | > number which the attacker knows will cause legitimate packets to | ||
13 | > be dropped before they reach their destination. | ||
14 | |||
15 | > As an example, one possible approach to mitigate this threat is to | ||
16 | > ignore very small hop limits. The nodes could implement a | ||
17 | > configurable minimum hop limit, and ignore attempts to set it below | ||
18 | > said limit. | ||
19 | |||
20 | Fixes CVE-2015-2922. | ||
21 | Upstream-Status: Backport | ||
22 | |||
23 | Signed-off-by: D.S. Ljungmark <ljungmark@modio.se> | ||
24 | Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> | ||
25 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
26 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
27 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
28 | --- | ||
29 | net/ipv6/ndisc.c | 9 ++++++++- | ||
30 | 1 file changed, 8 insertions(+), 1 deletion(-) | ||
31 | |||
32 | diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c | ||
33 | index 09a22f4..bcd6518 100644 | ||
34 | --- a/net/ipv6/ndisc.c | ||
35 | +++ b/net/ipv6/ndisc.c | ||
36 | @@ -1193,7 +1193,14 @@ static void ndisc_router_discovery(struct sk_buff *skb) | ||
37 | if (rt) | ||
38 | rt6_set_expires(rt, jiffies + (HZ * lifetime)); | ||
39 | if (ra_msg->icmph.icmp6_hop_limit) { | ||
40 | - in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; | ||
41 | + /* Only set hop_limit on the interface if it is higher than | ||
42 | + * the current hop_limit. | ||
43 | + */ | ||
44 | + if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) { | ||
45 | + in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; | ||
46 | + } else { | ||
47 | + ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n"); | ||
48 | + } | ||
49 | if (rt) | ||
50 | dst_metric_set(&rt->dst, RTAX_HOPLIMIT, | ||
51 | ra_msg->icmph.icmp6_hop_limit); | ||
52 | -- | ||
53 | cgit v0.11.2 | ||
54 | |||
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 30d6561..7037182 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
@@ -13,4 +13,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d | |||
13 | file://vhost-CVE-2015-6252.patch \ | 13 | file://vhost-CVE-2015-6252.patch \ |
14 | file://ipv4-CVE-2015-1465.patch \ | 14 | file://ipv4-CVE-2015-1465.patch \ |
15 | file://net-rds-CVE-2015-2042.patch \ | 15 | file://net-rds-CVE-2015-2042.patch \ |
16 | file://ipv6-CVE-2015-2922.patch \ | ||
16 | " | 17 | " |