[kernel] r18074 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Sun Sep 11 18:20:10 UTC 2011
Author: benh
Date: Sun Sep 11 18:20:09 2011
New Revision: 18074
Log:
ipv6: make fragment identifications less predictable (CVE-2011-2699)
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/ipv6-make-fragment-identifications-less-predictable.patch
Modified:
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/series/36
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Sat Sep 10 21:22:48 2011 (r18073)
+++ dists/squeeze/linux-2.6/debian/changelog Sun Sep 11 18:20:09 2011 (r18074)
@@ -91,6 +91,7 @@
- e1000e,igb,igbvf,ixgbe: Fix IPv6 GSO type checks
- ipv6: Add GSO support on forwarding path
* devpts: correctly check d_alloc_name() return code (Closes: #640650)
+ * ipv6: make fragment identifications less predictable (CVE-2011-2699)
-- maximilian attems <maks at debian.org> Sat, 25 Jun 2011 10:22:27 +0200
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/ipv6-make-fragment-identifications-less-predictable.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/ipv6-make-fragment-identifications-less-predictable.patch Sun Sep 11 18:20:09 2011 (r18074)
@@ -0,0 +1,184 @@
+From f25dd717c713e1132ebf010ca4893f81281bb65c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Mon, 8 Aug 2011 23:44:00 -0700
+Subject: [PATCH] ipv6: make fragment identifications less predictable
+
+[ Backport of upstream commit 87c48fa3b4630905f98268dde838ee43626a060c ]
+
+Fernando Gont reported current IPv6 fragment identification generation
+was not secure, because using a very predictable system-wide generator,
+allowing various attacks.
+
+IPv4 uses inetpeer cache to address this problem and to get good
+performance. We'll use this mechanism when IPv6 inetpeer is stable
+enough in linux-3.1
+
+For the time being, we use jhash on destination address to provide less
+predictable identifications. Also remove a spinlock and use cmpxchg() to
+get better SMP performance.
+
+Reported-by: Fernando Gont <fernando at gont.com.ar>
+Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+[bwh: Backport further to 2.6.32]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ include/net/ipv6.h | 12 +-----------
+ include/net/transp_v6.h | 2 ++
+ net/ipv6/af_inet6.c | 2 ++
+ net/ipv6/ip6_output.c | 40 +++++++++++++++++++++++++++++++++++-----
+ net/ipv6/udp.c | 2 +-
+ 5 files changed, 41 insertions(+), 17 deletions(-)
+
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index 639bbf0..52d86da 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -449,17 +449,7 @@ static inline int ipv6_addr_diff(const struct in6_addr *a1, const struct in6_add
+ return __ipv6_addr_diff(a1, a2, sizeof(struct in6_addr));
+ }
+
+-static __inline__ void ipv6_select_ident(struct frag_hdr *fhdr)
+-{
+- static u32 ipv6_fragmentation_id = 1;
+- static DEFINE_SPINLOCK(ip6_id_lock);
+-
+- spin_lock_bh(&ip6_id_lock);
+- fhdr->identification = htonl(ipv6_fragmentation_id);
+- if (++ipv6_fragmentation_id == 0)
+- ipv6_fragmentation_id = 1;
+- spin_unlock_bh(&ip6_id_lock);
+-}
++extern void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt);
+
+ /*
+ * Prototypes exported by ipv6
+diff --git a/include/net/transp_v6.h b/include/net/transp_v6.h
+index d65381c..8beefe1 100644
+--- a/include/net/transp_v6.h
++++ b/include/net/transp_v6.h
+@@ -16,6 +16,8 @@ extern struct proto tcpv6_prot;
+
+ struct flowi;
+
++extern void initialize_hashidentrnd(void);
++
+ /* extention headers */
+ extern int ipv6_exthdrs_init(void);
+ extern void ipv6_exthdrs_exit(void);
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index e127a32..835590d 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -1073,6 +1073,8 @@ static int __init inet6_init(void)
+ goto out;
+ }
+
++ initialize_hashidentrnd();
++
+ err = proto_register(&tcpv6_prot, 1);
+ if (err)
+ goto out;
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index eca3ef7..43c31f9 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -604,6 +604,35 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+ return offset;
+ }
+
++static u32 hashidentrnd __read_mostly;
++#define FID_HASH_SZ 16
++static u32 ipv6_fragmentation_id[FID_HASH_SZ];
++
++void __init initialize_hashidentrnd(void)
++{
++ get_random_bytes(&hashidentrnd, sizeof(hashidentrnd));
++}
++
++static u32 __ipv6_select_ident(const struct in6_addr *addr)
++{
++ u32 newid, oldid, hash = jhash2((u32 *)addr, 4, hashidentrnd);
++ u32 *pid = &ipv6_fragmentation_id[hash % FID_HASH_SZ];
++
++ do {
++ oldid = *pid;
++ newid = oldid + 1;
++ if (!(hash + newid))
++ newid++;
++ } while (cmpxchg(pid, oldid, newid) != oldid);
++
++ return hash + newid;
++}
++
++void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
++{
++ fhdr->identification = htonl(__ipv6_select_ident(&rt->rt6i_dst.addr));
++}
++
+ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
+ {
+ struct sk_buff *frag;
+@@ -689,7 +718,7 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
+ skb_reset_network_header(skb);
+ memcpy(skb_network_header(skb), tmp_hdr, hlen);
+
+- ipv6_select_ident(fh);
++ ipv6_select_ident(fh, rt);
+ fh->nexthdr = nexthdr;
+ fh->reserved = 0;
+ fh->frag_off = htons(IP6_MF);
+@@ -835,7 +864,7 @@ slow_path:
+ fh->nexthdr = nexthdr;
+ fh->reserved = 0;
+ if (!frag_id) {
+- ipv6_select_ident(fh);
++ ipv6_select_ident(fh, rt);
+ frag_id = fh->identification;
+ } else
+ fh->identification = frag_id;
+@@ -1039,7 +1068,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+ int getfrag(void *from, char *to, int offset, int len,
+ int odd, struct sk_buff *skb),
+ void *from, int length, int hh_len, int fragheaderlen,
+- int transhdrlen, int mtu,unsigned int flags)
++ int transhdrlen, int mtu,unsigned int flags,
++ struct rt6_info *rt)
+
+ {
+ struct sk_buff *skb;
+@@ -1084,7 +1114,7 @@ static inline int ip6_ufo_append_data(struct sock *sk,
+ skb_shinfo(skb)->gso_size = (mtu - fragheaderlen -
+ sizeof(struct frag_hdr)) & ~7;
+ skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
+- ipv6_select_ident(&fhdr);
++ ipv6_select_ident(&fhdr, rt);
+ skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
+ __skb_queue_tail(&sk->sk_write_queue, skb);
+
+@@ -1233,7 +1263,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
+
+ err = ip6_ufo_append_data(sk, getfrag, from, length, hh_len,
+ fragheaderlen, transhdrlen, mtu,
+- flags);
++ flags, rt);
+ if (err)
+ goto error;
+ return 0;
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 154dd6b..f5ff5d3 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1167,7 +1167,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, int features)
+ fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
+ fptr->nexthdr = nexthdr;
+ fptr->reserved = 0;
+- ipv6_select_ident(fptr);
++ ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb));
+
+ /* Fragment the skb. ipv6 header and the remaining fields of the
+ * fragment header are updated in ipv6_gso_segment()
+--
+1.7.5.4
+
Modified: dists/squeeze/linux-2.6/debian/patches/series/36
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/36 Sat Sep 10 21:22:48 2011 (r18073)
+++ dists/squeeze/linux-2.6/debian/patches/series/36 Sun Sep 11 18:20:09 2011 (r18074)
@@ -686,3 +686,4 @@
+ bugfix/all/sched-work-around-sched_group-cpu_power-0.patch
+ bugfix/x86/revert-x86-hotplug-Use-mwait-to-offline-a-processor-.patch
+ bugfix/all/fs-devpts-inode.c-correctly-check-d_alloc_name-retur.patch
++ bugfix/all/ipv6-make-fragment-identifications-less-predictable.patch
More information about the Kernel-svn-changes
mailing list