[linux] 01/03: ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Wed Sep 9 20:27:26 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 4614907289a6aecd62976e57c94dfa2a94bc1843
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Sep 9 21:21:46 2015 +0100

    ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
---
 debian/changelog                                   |  6 +++
 ...rconf-validate-new-MTU-before-applying-it.patch | 61 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 68 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6a6f57f..25101b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux (3.16.7-ckt11-1+deb8u4) UNRELEASED; urgency=medium
+
+  * ipv6: addrconf: validate new MTU before applying it (CVE-2015-0272)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Wed, 09 Sep 2015 21:21:36 +0100
+
 linux (3.16.7-ckt11-1+deb8u3) jessie-security; urgency=high
 
   * path_openat(): fix double fput() (CVE-2015-5706)
diff --git a/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch b/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
new file mode 100644
index 0000000..2c3cd56
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
@@ -0,0 +1,61 @@
+From: Marcelo Leitner <mleitner at redhat.com>
+Date: Mon, 23 Feb 2015 11:17:13 -0300
+Subject: ipv6: addrconf: validate new MTU before applying it
+Origin: https://git.kernel.org/linus/77751427a1ff25b27d47a4c36b12c3c8667855ac
+
+Currently we don't check if the new MTU is valid or not and this allows
+one to configure a smaller than minimum allowed by RFCs or even bigger
+than interface own MTU, which is a problem as it may lead to packet
+drops.
+
+If you have a daemon like NetworkManager running, this may be exploited
+by remote attackers by forging RA packets with an invalid MTU, possibly
+leading to a DoS. (NetworkManager currently only validates for values
+too small, but not for too big ones.)
+
+The fix is just to make sure the new value is valid. That is, between
+IPV6_MIN_MTU and interface's MTU.
+
+Note that similar check is already performed at
+ndisc_router_discovery(), for when kernel itself parses the RA.
+
+Signed-off-by: Marcelo Ricardo Leitner <mleitner at redhat.com>
+Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/addrconf.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -4789,6 +4789,21 @@ int addrconf_sysctl_forward(struct ctl_t
+ 	return ret;
+ }
+ 
++static
++int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
++			void __user *buffer, size_t *lenp, loff_t *ppos)
++{
++	struct inet6_dev *idev = ctl->extra1;
++	int min_mtu = IPV6_MIN_MTU;
++	struct ctl_table lctl;
++
++	lctl = *ctl;
++	lctl.extra1 = &min_mtu;
++	lctl.extra2 = idev ? &idev->dev->mtu : NULL;
++
++	return proc_dointvec_minmax(&lctl, write, buffer, lenp, ppos);
++}
++
+ static void dev_disable_change(struct inet6_dev *idev)
+ {
+ 	struct netdev_notifier_info info;
+@@ -4940,7 +4955,7 @@ static struct addrconf_sysctl_table
+ 			.data		= &ipv6_devconf.mtu6,
+ 			.maxlen		= sizeof(int),
+ 			.mode		= 0644,
+-			.proc_handler	= proc_dointvec,
++			.proc_handler	= addrconf_sysctl_mtu,
+ 		},
+ 		{
+ 			.procname	= "accept_ra",
diff --git a/debian/patches/series b/debian/patches/series
index 03b4956..2fa70ed 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -640,3 +640,4 @@ bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch
 bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
 bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
 bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
+bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list