From 0f8f654b183e41fed39e2eaa91b7dcb3a9e2086e Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 9 Mar 2016 07:37:31 +0100 Subject: kernel-ipv6: CVE-2015-2922 Fixes denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2922 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=ac12ff18b11259e10c2d543aa58c73ff88a68e77 Signed-off-by: Sona Sarmadi Signed-off-by: Huimin She --- .../linux/linux-qoriq-3.12/CVE-2015-2922.patch | 55 ++++++++++++++++++++++ recipes-kernel/linux/linux-qoriq-common.inc | 1 + 2 files changed, 56 insertions(+) create mode 100644 recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-2922.patch diff --git a/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-2922.patch b/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-2922.patch new file mode 100644 index 0000000..38eb360 --- /dev/null +++ b/recipes-kernel/linux/linux-qoriq-3.12/CVE-2015-2922.patch @@ -0,0 +1,55 @@ +From ac12ff18b11259e10c2d543aa58c73ff88a68e77 Mon Sep 17 00:00:00 2001 +From: "D.S. Ljungmark" +Date: Wed, 25 Mar 2015 09:28:15 +0100 +Subject: ipv6: Don't reduce hop limit for an interface + +[ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ] + +A local route may have a lower hop_limit set than global routes do. + +RFC 3756, Section 4.2.7, "Parameter Spoofing" + +> 1. The attacker includes a Current Hop Limit of one or another small +> number which the attacker knows will cause legitimate packets to +> be dropped before they reach their destination. + +> As an example, one possible approach to mitigate this threat is to +> ignore very small hop limits. The nodes could implement a +> configurable minimum hop limit, and ignore attempts to set it below +> said limit. + +Fixes CVE-2015-2922. +Upstream-Status: Backport + +Signed-off-by: D.S. Ljungmark +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +Signed-off-by: Sona Sarmadi +--- + net/ipv6/ndisc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index f8a55ff..fda5d95 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1191,7 +1191,14 @@ static void ndisc_router_discovery(struct sk_buff *skb) + if (rt) + rt6_set_expires(rt, jiffies + (HZ * lifetime)); + if (ra_msg->icmph.icmp6_hop_limit) { +- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ /* Only set hop_limit on the interface if it is higher than ++ * the current hop_limit. ++ */ ++ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) { ++ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ } else { ++ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n"); ++ } + if (rt) + dst_metric_set(&rt->dst, RTAX_HOPLIMIT, + ra_msg->icmph.icmp6_hop_limit); +-- +cgit v0.12 + diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc index 9052358..504bbfc 100644 --- a/recipes-kernel/linux/linux-qoriq-common.inc +++ b/recipes-kernel/linux/linux-qoriq-common.inc @@ -23,6 +23,7 @@ SRC_URI += "file://b4860-hard_irq_disable-bug.patch \ file://net-rds-CVE-2015-2042.patch \ file://drivers-scsi-CVE-2015-5707.patch \ file://vhost-CVE-2015-6252.patch \ + file://CVE-2015-2922.patch \ " SRC_URI += "file://cfg/00013-localversion.cfg \ -- cgit v1.2.3-54-g00ecf