From cb6adb8c1d780cbaf7f3a3f62716f58790984467 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 5 Jan 2016 13:33:14 +0100 Subject: kernel-ipv6: CVE-2015-2922 Fixes denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2922 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=01f69adac109867f892f12057660d891b34182f6 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../linux/files/ipv6-CVE-2015-2922.patch | 54 ++++++++++++++++++++++ recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 + 2 files changed, 55 insertions(+) create mode 100644 recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch diff --git a/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch b/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch new file mode 100644 index 0000000..a02d20f --- /dev/null +++ b/recipes-kernel/linux/files/ipv6-CVE-2015-2922.patch @@ -0,0 +1,54 @@ +From 01f69adac109867f892f12057660d891b34182f6 Mon Sep 17 00:00:00 2001 +From: "D.S. Ljungmark" +Subject: ipv6: Don't reduce hop limit for an interface + +[ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ] + +A local route may have a lower hop_limit set than global routes do. + +RFC 3756, Section 4.2.7, "Parameter Spoofing" + +> 1. The attacker includes a Current Hop Limit of one or another small +> number which the attacker knows will cause legitimate packets to +> be dropped before they reach their destination. + +> As an example, one possible approach to mitigate this threat is to +> ignore very small hop limits. The nodes could implement a +> configurable minimum hop limit, and ignore attempts to set it below +> said limit. + +Fixes CVE-2015-2922. +Upstream-Status: Backport + +Signed-off-by: D.S. Ljungmark +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + net/ipv6/ndisc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 09a22f4..bcd6518 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1193,7 +1193,14 @@ static void ndisc_router_discovery(struct sk_buff *skb) + if (rt) + rt6_set_expires(rt, jiffies + (HZ * lifetime)); + if (ra_msg->icmph.icmp6_hop_limit) { +- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ /* Only set hop_limit on the interface if it is higher than ++ * the current hop_limit. ++ */ ++ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) { ++ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ } else { ++ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n"); ++ } + if (rt) + dst_metric_set(&rt->dst, RTAX_HOPLIMIT, + ra_msg->icmph.icmp6_hop_limit); +-- +cgit v0.11.2 + diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index 30d6561..7037182 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend @@ -13,4 +13,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d file://vhost-CVE-2015-6252.patch \ file://ipv4-CVE-2015-1465.patch \ file://net-rds-CVE-2015-2042.patch \ + file://ipv6-CVE-2015-2922.patch \ " -- cgit v1.2.3-54-g00ecf