[linux] 01/02: ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Sep 9 20:20:28 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit df1d5e50a6e07a9dc366ef1aab2084951236bc00
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Sep 9 21:11:21 2015 +0100

    ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
---
 debian/changelog                                   |  6 +++
 ...rconf-validate-new-MTU-before-applying-it.patch | 61 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 68 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 72c1b38..f9a2c6d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.2.68-1+deb7u4) UNRELEASED; urgency=medium
+
+  * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Fri, 07 Aug 2015 19:47:24 +0100
+
 linux (3.2.68-1+deb7u3) wheezy-security; urgency=medium
 
   * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366)
diff --git a/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch b/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
new file mode 100644
index 0000000..11609b4
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
@@ -0,0 +1,61 @@
+From: Marcelo Leitner <mleitner at redhat.com>
+Date: Mon, 23 Feb 2015 11:17:13 -0300
+Subject: ipv6: addrconf: validate new MTU before applying it
+Origin: https://git.kernel.org/linus/77751427a1ff25b27d47a4c36b12c3c8667855ac
+
+Currently we don't check if the new MTU is valid or not and this allows
+one to configure a smaller than minimum allowed by RFCs or even bigger
+than interface own MTU, which is a problem as it may lead to packet
+drops.
+
+If you have a daemon like NetworkManager running, this may be exploited
+by remote attackers by forging RA packets with an invalid MTU, possibly
+leading to a DoS. (NetworkManager currently only validates for values
+too small, but not for too big ones.)
+
+The fix is just to make sure the new value is valid. That is, between
+IPV6_MIN_MTU and interface's MTU.
+
+Note that similar check is already performed at
+ndisc_router_discovery(), for when kernel itself parses the RA.
+
+Signed-off-by: Marcelo Ricardo Leitner <mleitner at redhat.com>
+Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/addrconf.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -4321,6 +4321,21 @@ int addrconf_sysctl_forward(ctl_table *c
+ 	return ret;
+ }
+ 
++static
++int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
++			void __user *buffer, size_t *lenp, loff_t *ppos)
++{
++	struct inet6_dev *idev = ctl->extra1;
++	int min_mtu = IPV6_MIN_MTU;
++	struct ctl_table lctl;
++
++	lctl = *ctl;
++	lctl.extra1 = &min_mtu;
++	lctl.extra2 = idev ? &idev->dev->mtu : NULL;
++
++	return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos);
++}
++
+ static void dev_disable_change(struct inet6_dev *idev)
+ {
+ 	if (!idev || !idev->dev)
+@@ -4421,7 +4436,7 @@ static struct addrconf_sysctl_table
+ 			.data		= &ipv6_devconf.mtu6,
+ 			.maxlen		= sizeof(int),
+ 			.mode		= 0644,
+-			.proc_handler	= proc_dointvec,
++			.proc_handler	= addrconf_sysctl_mtu,
+ 		},
+ 		{
+ 			.procname	= "accept_ra",
diff --git a/debian/patches/series b/debian/patches/series
index 76968dd..01cef26 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1175,3 +1175,4 @@ bugfix/all/sctp-fix-asconf-list-handling.patch
 bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
 bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
 bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
+bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list