[linux] 01/02: ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Sep 9 20:08:53 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch squeeze-security
in repository linux.
commit e8ccb269e670535b64e5ac5eedd2d616c8aba2f7
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Sep 9 20:59:56 2015 +0100
ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
---
debian/changelog | 1 +
...rconf-validate-new-MTU-before-applying-it.patch | 62 ++++++++++++++++++++++
debian/patches/series/48squeeze14 | 1 +
3 files changed, 64 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 59ef8e8..5225d9d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,7 @@ linux-2.6 (2.6.32-48squeeze14) UNRELEASED; urgency=medium
- Update .gitignore files
- debian/control: Update Vcs-* fields
- README.Debian, README.source: Update references to svn
+ * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 28 Jun 2015 23:23:19 +0100
diff --git a/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch b/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
new file mode 100644
index 0000000..30902f2
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
@@ -0,0 +1,62 @@
+From: Marcelo Leitner <mleitner at redhat.com>
+Date: Mon, 23 Feb 2015 11:17:13 -0300
+Subject: ipv6: addrconf: validate new MTU before applying it
+Origin: https://git.kernel.org/linus/77751427a1ff25b27d47a4c36b12c3c8667855ac
+
+Currently we don't check if the new MTU is valid or not and this allows
+one to configure a smaller than minimum allowed by RFCs or even bigger
+than interface own MTU, which is a problem as it may lead to packet
+drops.
+
+If you have a daemon like NetworkManager running, this may be exploited
+by remote attackers by forging RA packets with an invalid MTU, possibly
+leading to a DoS. (NetworkManager currently only validates for values
+too small, but not for too big ones.)
+
+The fix is just to make sure the new value is valid. That is, between
+IPV6_MIN_MTU and interface's MTU.
+
+Note that similar check is already performed at
+ndisc_router_discovery(), for when kernel itself parses the RA.
+
+Signed-off-by: Marcelo Ricardo Leitner <mleitner at redhat.com>
+Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 2.6.32: adjust context, spacing]
+---
+ net/ipv6/addrconf.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -4046,6 +4046,21 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
+ return addrconf_fixup_forwarding(table, valp, val);
+ }
+
++static
++int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
++ void __user *buffer, size_t *lenp, loff_t *ppos)
++{
++ struct inet6_dev *idev = ctl->extra1;
++ int min_mtu = IPV6_MIN_MTU;
++ struct ctl_table lctl;
++
++ lctl = *ctl;
++ lctl.extra1 = &min_mtu;
++ lctl.extra2 = idev ? &idev->dev->mtu : NULL;
++
++ return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos);
++}
++
+ static void dev_disable_change(struct inet6_dev *idev)
+ {
+ if (!idev || !idev->dev)
+@@ -4152,7 +4167,7 @@ static struct addrconf_sysctl_table
+ .data = &ipv6_devconf.mtu6,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+- .proc_handler = proc_dointvec,
++ .proc_handler = addrconf_sysctl_mtu,
+ },
+ {
+ .ctl_name = NET_IPV6_ACCEPT_RA,
diff --git a/debian/patches/series/48squeeze14 b/debian/patches/series/48squeeze14
index 7d41c2b..2ba4b84 100644
--- a/debian/patches/series/48squeeze14
+++ b/debian/patches/series/48squeeze14
@@ -2,3 +2,4 @@
+ bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
+ bugfix/all/crypto-testmgr-update-lzo-compression-test-vectors.patch
+ bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
++ bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list