From a63ce710f8d26ad6732602a743ff346a656efb27 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 5 Jan 2016 13:27:21 +0100 Subject: kernel-ipv6: CVE-2015-2922 Fixes denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2922 http://www.openwall.com/lists/oss-security/2015/04/04/2 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=c85b2d7e9fa44286feaac33031db1dd0e4c9ed3b Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../ipv6-CVE-2015-2922.patch | 55 ++++++++++++++++++++++ recipes-kernel/linux/linux-hierofalcon_3.19.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 recipes-kernel/linux/linux-hierofalcon-3.19/ipv6-CVE-2015-2922.patch diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/ipv6-CVE-2015-2922.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/ipv6-CVE-2015-2922.patch new file mode 100644 index 0000000..728578f --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/ipv6-CVE-2015-2922.patch @@ -0,0 +1,55 @@ +From c85b2d7e9fa44286feaac33031db1dd0e4c9ed3b Mon Sep 17 00:00:00 2001 +From: "D.S. Ljungmark" +Date: Wed, 25 Mar 2015 09:28:15 +0100 +Subject: ipv6: Don't reduce hop limit for an interface + +[ Upstream commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a ] + +A local route may have a lower hop_limit set than global routes do. + +RFC 3756, Section 4.2.7, "Parameter Spoofing" + +> 1. The attacker includes a Current Hop Limit of one or another small +> number which the attacker knows will cause legitimate packets to +> be dropped before they reach their destination. + +> As an example, one possible approach to mitigate this threat is to +> ignore very small hop limits. The nodes could implement a +> configurable minimum hop limit, and ignore attempts to set it below +> said limit. + +Fixes CVE-2015-2922 +Upstream-Status: Backport + +Signed-off-by: D.S. Ljungmark +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Sona Sarmadi +--- + net/ipv6/ndisc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c +index 4cb45c1..a46c504 100644 +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1215,7 +1215,14 @@ static void ndisc_router_discovery(struct sk_buff *skb) + if (rt) + rt6_set_expires(rt, jiffies + (HZ * lifetime)); + if (ra_msg->icmph.icmp6_hop_limit) { +- in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ /* Only set hop_limit on the interface if it is higher than ++ * the current hop_limit. ++ */ ++ if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) { ++ in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; ++ } else { ++ ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n"); ++ } + if (rt) + dst_metric_set(&rt->dst, RTAX_HOPLIMIT, + ra_msg->icmph.icmp6_hop_limit); +-- +cgit v0.11.2 + diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 26dfa6d..82ad305 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb @@ -25,6 +25,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 file://fs-CVE-2015-5706.patch \ file://md-CVE-2015-5697.patch \ file://vhost-CVE-2015-6252.patch \ + file://ipv6-CVE-2015-2922.patch \ " S = "${WORKDIR}/git" -- cgit v1.2.3-54-g00ecf