From 1379026b984e169a3bb8745b09f1000cae2d9535 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Tue, 5 Jan 2016 13:33:12 +0100
Subject: kernel-net: CVE-2015-1465

Fixes DoS due to routing packets to too many different
dsts/too fast.
A remote attacker can use this flaw to crash the system.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1465
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1465

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=ee6db0ad53c9805d31bd1b0b7c9ea901407dfc19

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
---
 .../linux/files/ipv4-CVE-2015-1465.patch           | 107 +++++++++++++++++++++
 recipes-kernel/linux/linux-yocto_3.14.bbappend     |   1 +
 2 files changed, 108 insertions(+)
 create mode 100644 recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch

diff --git a/recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch b/recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch
new file mode 100644
index 0000000..f0b9310
--- /dev/null
+++ b/recipes-kernel/linux/files/ipv4-CVE-2015-1465.patch
@@ -0,0 +1,107 @@
+From ee6db0ad53c9805d31bd1b0b7c9ea901407dfc19 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri, 23 Jan 2015 12:01:26 +0100
+Subject: ipv4: try to cache dst_entries which would cause a redirect
+
+[ Upstream commit df4d92549f23e1c037e83323aff58a21b3de7fe0 ]
+
+Not caching dst_entries which cause redirects could be exploited by hosts
+on the same subnet, causing a severe DoS attack. This effect aggravated
+since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()").
+
+Lookups causing redirects will be allocated with DST_NOCACHE set which
+will force dst_release to free them via RCU.  Unfortunately waiting for
+RCU grace period just takes too long, we can end up with >1M dst_entries
+waiting to be released and the system will run OOM. rcuos threads cannot
+catch up under high softirq load.
+
+Attaching the flag to emit a redirect later on to the specific skb allows
+us to cache those dst_entries thus reducing the pressure on allocation
+and deallocation.
+
+This issue was discovered by Marcelo Leitner.
+
+Fixes CVE-2015-1465.
+Upstream-Status: Backport
+
+Cc: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ include/net/ip.h      | 11 ++++++-----
+ net/ipv4/ip_forward.c |  3 ++-
+ net/ipv4/route.c      |  9 +++++----
+ 3 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 937f196..f088c36 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -38,11 +38,12 @@ struct inet_skb_parm {
+ 	struct ip_options	opt;		/* Compiled IP options		*/
+ 	unsigned char		flags;
+ 
+-#define IPSKB_FORWARDED		1
+-#define IPSKB_XFRM_TUNNEL_SIZE	2
+-#define IPSKB_XFRM_TRANSFORMED	4
+-#define IPSKB_FRAG_COMPLETE	8
+-#define IPSKB_REROUTED		16
++#define IPSKB_FORWARDED		BIT(0)
++#define IPSKB_XFRM_TUNNEL_SIZE	BIT(1)
++#define IPSKB_XFRM_TRANSFORMED	BIT(2)
++#define IPSKB_FRAG_COMPLETE	BIT(3)
++#define IPSKB_REROUTED		BIT(4)
++#define IPSKB_DOREDIRECT	BIT(5)
+ 
+ 	u16			frag_max_size;
+ };
+diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
+index 1c6bd43..ecb34b5 100644
+--- a/net/ipv4/ip_forward.c
++++ b/net/ipv4/ip_forward.c
+@@ -178,7 +178,8 @@ int ip_forward(struct sk_buff *skb)
+ 	 *	We now generate an ICMP HOST REDIRECT giving the route
+ 	 *	we calculated.
+ 	 */
+-	if (rt->rt_flags&RTCF_DOREDIRECT && !opt->srr && !skb_sec_path(skb))
++	if (IPCB(skb)->flags & IPSKB_DOREDIRECT && !opt->srr &&
++	    !skb_sec_path(skb))
+ 		ip_rt_send_redirect(skb);
+ 
+ 	skb->priority = rt_tos2priority(iph->tos);
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 487bb62..b64330f 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1554,11 +1554,10 @@ static int __mkroute_input(struct sk_buff *skb,
+ 
+ 	do_cache = res->fi && !itag;
+ 	if (out_dev == in_dev && err && IN_DEV_TX_REDIRECTS(out_dev) &&
++	    skb->protocol == htons(ETH_P_IP) &&
+ 	    (IN_DEV_SHARED_MEDIA(out_dev) ||
+-	     inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res)))) {
+-		flags |= RTCF_DOREDIRECT;
+-		do_cache = false;
+-	}
++	     inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res))))
++		IPCB(skb)->flags |= IPSKB_DOREDIRECT;
+ 
+ 	if (skb->protocol != htons(ETH_P_IP)) {
+ 		/* Not IP (i.e. ARP). Do not create route, if it is
+@@ -2305,6 +2304,8 @@ static int rt_fill_info(struct net *net,  __be32 dst, __be32 src,
+ 	r->rtm_flags	= (rt->rt_flags & ~0xFFFF) | RTM_F_CLONED;
+ 	if (rt->rt_flags & RTCF_NOTIFY)
+ 		r->rtm_flags |= RTM_F_NOTIFY;
++	if (IPCB(skb)->flags & IPSKB_DOREDIRECT)
++		r->rtm_flags |= RTCF_DOREDIRECT;
+ 
+ 	if (nla_put_be32(skb, RTA_DST, dst))
+ 		goto nla_put_failure;
+-- 
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index f865fcb..326066a 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -11,4 +11,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
             file://drivers-scsi-CVE-2015-5707.patch \
             file://md-CVE-2015-5697.patch \
             file://vhost-CVE-2015-6252.patch \
+            file://ipv4-CVE-2015-1465.patch \
            "
-- 
cgit v1.2.3-54-g00ecf