[kernel/f18] CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664)
Dave Jones
davej at fedoraproject.org
Fri Jul 19 16:37:05 UTC 2013
commit 2667cae3eaee3595a06a0305d230bbb9822d79db
Author: Dave Jones <davej at redhat.com>
Date: Fri Jul 19 12:36:41 2013 -0400
CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664)
cve-2013-4125.patch | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++
kernel.spec | 7 ++++
2 files changed, 86 insertions(+), 0 deletions(-)
---
diff --git a/cve-2013-4125.patch b/cve-2013-4125.patch
new file mode 100644
index 0000000..25b7eca
--- /dev/null
+++ b/cve-2013-4125.patch
@@ -0,0 +1,79 @@
+From 307f2fb95e9b96b3577916e73d92e104f8f26494 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Date: Fri, 12 Jul 2013 21:46:33 +0000
+Subject: ipv6: only static routes qualify for equal cost multipathing
+
+Static routes in this case are non-expiring routes which did not get
+configured by autoconf or by icmpv6 redirects.
+
+To make sure we actually get an ecmp route while searching for the first
+one in this fib6_node's leafs, also make sure it matches the ecmp route
+assumptions.
+
+v2:
+a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
+ already ensures that this route, even if added again without
+ RTF_EXPIRES (in case of a RA announcement with infinite timeout),
+ does not cause the rt6i_nsiblings logic to go wrong if a later RA
+ updates the expiration time later.
+
+v3:
+a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
+ because an pmtu event could update the RTF_EXPIRES flag and we would
+ not count this route, if another route joins this set. We now filter
+ only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
+ don't get changed after rt6_info construction.
+
+Cc: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
+Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index 192dd1a..5fc9c7a 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -632,6 +632,12 @@ insert_above:
+ return ln;
+ }
+
++static inline bool rt6_qualify_for_ecmp(struct rt6_info *rt)
++{
++ return (rt->rt6i_flags & (RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC)) ==
++ RTF_GATEWAY;
++}
++
+ /*
+ * Insert routing information in a node.
+ */
+@@ -646,6 +652,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
+ int add = (!info->nlh ||
+ (info->nlh->nlmsg_flags & NLM_F_CREATE));
+ int found = 0;
++ bool rt_can_ecmp = rt6_qualify_for_ecmp(rt);
+
+ ins = &fn->leaf;
+
+@@ -691,9 +698,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
+ * To avoid long list, we only had siblings if the
+ * route have a gateway.
+ */
+- if (rt->rt6i_flags & RTF_GATEWAY &&
+- !(rt->rt6i_flags & RTF_EXPIRES) &&
+- !(iter->rt6i_flags & RTF_EXPIRES))
++ if (rt_can_ecmp &&
++ rt6_qualify_for_ecmp(iter))
+ rt->rt6i_nsiblings++;
+ }
+
+@@ -715,7 +721,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
+ /* Find the first route that have the same metric */
+ sibling = fn->leaf;
+ while (sibling) {
+- if (sibling->rt6i_metric == rt->rt6i_metric) {
++ if (sibling->rt6i_metric == rt->rt6i_metric &&
++ rt6_qualify_for_ecmp(sibling)) {
+ list_add_tail(&rt->rt6i_siblings,
+ &sibling->rt6i_siblings);
+ break;
+--
+cgit v0.9.2
diff --git a/kernel.spec b/kernel.spec
index 2f6e1f6..37bd684 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -805,6 +805,8 @@ Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
#rhbz 976837
Patch25065: fix-ext4-overflows.patch
+Patch26000: cve-2013-4125.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1547,6 +1549,8 @@ ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
#rhbz 976837
ApplyPatch fix-ext4-overflows.patch
+ApplyPatch cve-2013-4125.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2392,6 +2396,9 @@ fi
# ||----w |
# || ||
%changelog
+* Fri Jul 19 2013 Dave Jones <davej at redhat.com>
+- CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664)
+
* Sat Jul 13 2013 Josh Boyer <jwboyer at redhat.com> - 3.9.10-200
- Linux v3.9.10
More information about the scm-commits
mailing list