From 2667cae3eaee3595a06a0305d230bbb9822d79db Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Jul 19 2013 16:36:41 +0000 Subject: CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664) --- diff --git a/cve-2013-4125.patch b/cve-2013-4125.patch new file mode 100644 index 0000000..25b7eca --- /dev/null +++ b/cve-2013-4125.patch @@ -0,0 +1,79 @@ +From 307f2fb95e9b96b3577916e73d92e104f8f26494 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 12 Jul 2013 21:46:33 +0000 +Subject: ipv6: only static routes qualify for equal cost multipathing + +Static routes in this case are non-expiring routes which did not get +configured by autoconf or by icmpv6 redirects. + +To make sure we actually get an ecmp route while searching for the first +one in this fib6_node's leafs, also make sure it matches the ecmp route +assumptions. + +v2: +a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF + already ensures that this route, even if added again without + RTF_EXPIRES (in case of a RA announcement with infinite timeout), + does not cause the rt6i_nsiblings logic to go wrong if a later RA + updates the expiration time later. + +v3: +a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, + because an pmtu event could update the RTF_EXPIRES flag and we would + not count this route, if another route joins this set. We now filter + only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that + don't get changed after rt6_info construction. + +Cc: Nicolas Dichtel +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index 192dd1a..5fc9c7a 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -632,6 +632,12 @@ insert_above: + return ln; + } + ++static inline bool rt6_qualify_for_ecmp(struct rt6_info *rt) ++{ ++ return (rt->rt6i_flags & (RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC)) == ++ RTF_GATEWAY; ++} ++ + /* + * Insert routing information in a node. + */ +@@ -646,6 +652,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, + int add = (!info->nlh || + (info->nlh->nlmsg_flags & NLM_F_CREATE)); + int found = 0; ++ bool rt_can_ecmp = rt6_qualify_for_ecmp(rt); + + ins = &fn->leaf; + +@@ -691,9 +698,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, + * To avoid long list, we only had siblings if the + * route have a gateway. + */ +- if (rt->rt6i_flags & RTF_GATEWAY && +- !(rt->rt6i_flags & RTF_EXPIRES) && +- !(iter->rt6i_flags & RTF_EXPIRES)) ++ if (rt_can_ecmp && ++ rt6_qualify_for_ecmp(iter)) + rt->rt6i_nsiblings++; + } + +@@ -715,7 +721,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, + /* Find the first route that have the same metric */ + sibling = fn->leaf; + while (sibling) { +- if (sibling->rt6i_metric == rt->rt6i_metric) { ++ if (sibling->rt6i_metric == rt->rt6i_metric && ++ rt6_qualify_for_ecmp(sibling)) { + list_add_tail(&rt->rt6i_siblings, + &sibling->rt6i_siblings); + break; +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 2f6e1f6..37bd684 100644 --- a/kernel.spec +++ b/kernel.spec @@ -805,6 +805,8 @@ Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch #rhbz 976837 Patch25065: fix-ext4-overflows.patch +Patch26000: cve-2013-4125.patch + # END OF PATCH DEFINITIONS %endif @@ -1547,6 +1549,8 @@ ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch #rhbz 976837 ApplyPatch fix-ext4-overflows.patch +ApplyPatch cve-2013-4125.patch + # END OF PATCH APPLICATIONS %endif @@ -2392,6 +2396,9 @@ fi # ||----w | # || || %changelog +* Fri Jul 19 2013 Dave Jones +- CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664) + * Sat Jul 13 2013 Josh Boyer - 3.9.10-200 - Linux v3.9.10