CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380)
This commit is contained in:
parent
3a10cda4e7
commit
b588efef6f
@ -0,0 +1,60 @@
|
|||||||
|
From 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||||
|
Date: Fri, 16 Aug 2013 11:02:27 +0000
|
||||||
|
Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr
|
||||||
|
|
||||||
|
Because of the max_addresses check attackers were able to disable privacy
|
||||||
|
extensions on an interface by creating enough autoconfigured addresses:
|
||||||
|
|
||||||
|
<http://seclists.org/oss-sec/2012/q4/292>
|
||||||
|
|
||||||
|
But the check is not actually needed: max_addresses protects the
|
||||||
|
kernel to install too many ipv6 addresses on an interface and guards
|
||||||
|
addrconf_prefix_rcv to install further addresses as soon as this limit
|
||||||
|
is reached. We only generate temporary addresses in direct response of
|
||||||
|
a new address showing up. As soon as we filled up the maximum number of
|
||||||
|
addresses of an interface, we stop installing more addresses and thus
|
||||||
|
also stop generating more temp addresses.
|
||||||
|
|
||||||
|
Even if the attacker tries to generate a lot of temporary addresses
|
||||||
|
by announcing a prefix and removing it again (lifetime == 0) we won't
|
||||||
|
install more temp addresses, because the temporary addresses do count
|
||||||
|
to the maximum number of addresses, thus we would stop installing new
|
||||||
|
autoconfigured addresses when the limit is reached.
|
||||||
|
|
||||||
|
This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
|
||||||
|
possible).
|
||||||
|
|
||||||
|
Thanks to Ding Tianhong to bring this topic up again.
|
||||||
|
|
||||||
|
Cc: Ding Tianhong <dingtianhong@huawei.com>
|
||||||
|
Cc: George Kargiotakis <kargig@void.gr>
|
||||||
|
Cc: P J P <ppandit@redhat.com>
|
||||||
|
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
|
||||||
|
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||||
|
Acked-by: Ding Tianhong <dingtianhong@huawei.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
---
|
||||||
|
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
|
||||||
|
index da4241c..498ea99 100644
|
||||||
|
--- a/net/ipv6/addrconf.c
|
||||||
|
+++ b/net/ipv6/addrconf.c
|
||||||
|
@@ -1126,12 +1126,10 @@ retry:
|
||||||
|
if (ifp->flags & IFA_F_OPTIMISTIC)
|
||||||
|
addr_flags |= IFA_F_OPTIMISTIC;
|
||||||
|
|
||||||
|
- ift = !max_addresses ||
|
||||||
|
- ipv6_count_addresses(idev) < max_addresses ?
|
||||||
|
- ipv6_add_addr(idev, &addr, NULL, tmp_plen,
|
||||||
|
- ipv6_addr_scope(&addr), addr_flags,
|
||||||
|
- tmp_valid_lft, tmp_prefered_lft) : NULL;
|
||||||
|
- if (IS_ERR_OR_NULL(ift)) {
|
||||||
|
+ ift = ipv6_add_addr(idev, &addr, NULL, tmp_plen,
|
||||||
|
+ ipv6_addr_scope(&addr), addr_flags,
|
||||||
|
+ tmp_valid_lft, tmp_prefered_lft);
|
||||||
|
+ if (IS_ERR(ift)) {
|
||||||
|
in6_ifa_put(ifp);
|
||||||
|
in6_dev_put(idev);
|
||||||
|
pr_info("%s: retry temporary address regeneration\n", __func__);
|
||||||
|
--
|
||||||
|
cgit v0.9.2
|
10
kernel.spec
10
kernel.spec
@ -745,6 +745,10 @@ Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
|
|||||||
#rhbz 963715
|
#rhbz 963715
|
||||||
Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||||
|
|
||||||
|
#CVE-2013-0343 rhbz 914664 999380
|
||||||
|
Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
|
||||||
|
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -1444,6 +1448,9 @@ ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch
|
|||||||
#rhbz 963715
|
#rhbz 963715
|
||||||
ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch
|
||||||
|
|
||||||
|
#CVE-2013-0343 rhbz 914664 999380
|
||||||
|
ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2237,6 +2244,9 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 21 2013 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380)
|
||||||
|
|
||||||
* Tue Aug 20 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git1.1
|
* Tue Aug 20 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.11.0-0.rc6.git1.1
|
||||||
- Linux v3.11-rc6-28-gfd3930f
|
- Linux v3.11-rc6-28-gfd3930f
|
||||||
- Reenable debugging options.
|
- Reenable debugging options.
|
||||||
|
Loading…
Reference in New Issue
Block a user