[linux] 01/02: ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Sep 9 20:08:53 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch squeeze-security
in repository linux.

commit e8ccb269e670535b64e5ac5eedd2d616c8aba2f7
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Sep 9 20:59:56 2015 +0100

    ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
---
 debian/changelog                                   |  1 +
 ...rconf-validate-new-MTU-before-applying-it.patch | 62 ++++++++++++++++++++++
 debian/patches/series/48squeeze14                  |  1 +
 3 files changed, 64 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 59ef8e8..5225d9d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,7 @@ linux-2.6 (2.6.32-48squeeze14) UNRELEASED; urgency=medium
     - Update .gitignore files
     - debian/control: Update Vcs-* fields
     - README.Debian, README.source: Update references to svn
+  * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 28 Jun 2015 23:23:19 +0100
 
diff --git a/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch b/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
new file mode 100644
index 0000000..30902f2
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
@@ -0,0 +1,62 @@
+From: Marcelo Leitner <mleitner at redhat.com>
+Date: Mon, 23 Feb 2015 11:17:13 -0300
+Subject: ipv6: addrconf: validate new MTU before applying it
+Origin: https://git.kernel.org/linus/77751427a1ff25b27d47a4c36b12c3c8667855ac
+
+Currently we don't check if the new MTU is valid or not and this allows
+one to configure a smaller than minimum allowed by RFCs or even bigger
+than interface own MTU, which is a problem as it may lead to packet
+drops.
+
+If you have a daemon like NetworkManager running, this may be exploited
+by remote attackers by forging RA packets with an invalid MTU, possibly
+leading to a DoS. (NetworkManager currently only validates for values
+too small, but not for too big ones.)
+
+The fix is just to make sure the new value is valid. That is, between
+IPV6_MIN_MTU and interface's MTU.
+
+Note that similar check is already performed at
+ndisc_router_discovery(), for when kernel itself parses the RA.
+
+Signed-off-by: Marcelo Ricardo Leitner <mleitner at redhat.com>
+Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 2.6.32: adjust context, spacing]
+---
+ net/ipv6/addrconf.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -4046,6 +4046,21 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
+ 	return addrconf_fixup_forwarding(table, valp, val);
+ }
+ 
++static
++int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
++			void __user *buffer, size_t *lenp, loff_t *ppos)
++{
++	struct inet6_dev *idev = ctl->extra1;
++	int min_mtu = IPV6_MIN_MTU;
++	struct ctl_table lctl;
++
++	lctl = *ctl;
++	lctl.extra1 = &min_mtu;
++	lctl.extra2 = idev ? &idev->dev->mtu : NULL;
++
++	return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos);
++}
++
+ static void dev_disable_change(struct inet6_dev *idev)
+ {
+ 	if (!idev || !idev->dev)
+@@ -4152,7 +4167,7 @@ static struct addrconf_sysctl_table
+ 			.data		=	&ipv6_devconf.mtu6,
+ 			.maxlen		=	sizeof(int),
+ 			.mode		=	0644,
+-			.proc_handler	=	proc_dointvec,
++			.proc_handler	=	addrconf_sysctl_mtu,
+ 		},
+ 		{
+ 			.ctl_name	=	NET_IPV6_ACCEPT_RA,
diff --git a/debian/patches/series/48squeeze14 b/debian/patches/series/48squeeze14
index 7d41c2b..2ba4b84 100644
--- a/debian/patches/series/48squeeze14
+++ b/debian/patches/series/48squeeze14
@@ -2,3 +2,4 @@
 + bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
 + bugfix/all/crypto-testmgr-update-lzo-compression-test-vectors.patch
 + bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
++ bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list