diff --git a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch new file mode 100644 index 000000000..3c0153be9 --- /dev/null +++ b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch @@ -0,0 +1,60 @@ +From 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 16 Aug 2013 11:02:27 +0000 +Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr + +Because of the max_addresses check attackers were able to disable privacy +extensions on an interface by creating enough autoconfigured addresses: + + + +But the check is not actually needed: max_addresses protects the +kernel to install too many ipv6 addresses on an interface and guards +addrconf_prefix_rcv to install further addresses as soon as this limit +is reached. We only generate temporary addresses in direct response of +a new address showing up. As soon as we filled up the maximum number of +addresses of an interface, we stop installing more addresses and thus +also stop generating more temp addresses. + +Even if the attacker tries to generate a lot of temporary addresses +by announcing a prefix and removing it again (lifetime == 0) we won't +install more temp addresses, because the temporary addresses do count +to the maximum number of addresses, thus we would stop installing new +autoconfigured addresses when the limit is reached. + +This patch fixes CVE-2013-0343 (but other layer-2 attacks are still +possible). + +Thanks to Ding Tianhong to bring this topic up again. + +Cc: Ding Tianhong +Cc: George Kargiotakis +Cc: P J P +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Acked-by: Ding Tianhong +Signed-off-by: David S. Miller +--- +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index da4241c..498ea99 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1126,12 +1126,10 @@ retry: + if (ifp->flags & IFA_F_OPTIMISTIC) + addr_flags |= IFA_F_OPTIMISTIC; + +- ift = !max_addresses || +- ipv6_count_addresses(idev) < max_addresses ? +- ipv6_add_addr(idev, &addr, NULL, tmp_plen, +- ipv6_addr_scope(&addr), addr_flags, +- tmp_valid_lft, tmp_prefered_lft) : NULL; +- if (IS_ERR_OR_NULL(ift)) { ++ ift = ipv6_add_addr(idev, &addr, NULL, tmp_plen, ++ ipv6_addr_scope(&addr), addr_flags, ++ tmp_valid_lft, tmp_prefered_lft); ++ if (IS_ERR(ift)) { + in6_ifa_put(ifp); + in6_dev_put(idev); + pr_info("%s: retry temporary address regeneration\n", __func__); +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index db55ecc2d..b6e273dc7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -745,6 +745,10 @@ Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch +#CVE-2013-0343 rhbz 914664 999380 +Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch + + # END OF PATCH DEFINITIONS %endif @@ -1444,6 +1448,9 @@ ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch +#CVE-2013-0343 rhbz 914664 999380 +ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch + # END OF PATCH APPLICATIONS %endif @@ -2237,6 +2244,9 @@ fi # ||----w | # || || %changelog +* Wed Aug 21 2013 Josh Boyer +- CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380) + * Tue Aug 20 2013 Josh Boyer - 3.11.0-0.rc6.git1.1 - Linux v3.11-rc6-28-gfd3930f - Reenable debugging options.