[kernel/f18] CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664)

Dave Jones davej at fedoraproject.org
Fri Jul 19 16:37:05 UTC 2013 

commit 2667cae3eaee3595a06a0305d230bbb9822d79db
Author: Dave Jones <davej at redhat.com>
Date:   Fri Jul 19 12:36:41 2013 -0400

    CVE-2013-4125  ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664)

 cve-2013-4125.patch |   79 +++++++++++++++++++++++++++++++++++++++++++++++++++
 kernel.spec         |    7 ++++
 2 files changed, 86 insertions(+), 0 deletions(-)
---
diff --git a/cve-2013-4125.patch b/cve-2013-4125.patch
new file mode 100644
index 0000000..25b7eca
--- /dev/null
+++ b/cve-2013-4125.patch
@@ -0,0 +1,79 @@
+From 307f2fb95e9b96b3577916e73d92e104f8f26494 Mon Sep 17 00:00:00 2001
+From: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Date: Fri, 12 Jul 2013 21:46:33 +0000
+Subject: ipv6: only static routes qualify for equal cost multipathing
+
+Static routes in this case are non-expiring routes which did not get
+configured by autoconf or by icmpv6 redirects.
+
+To make sure we actually get an ecmp route while searching for the first
+one in this fib6_node's leafs, also make sure it matches the ecmp route
+assumptions.
+
+v2:
+a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF
+   already ensures that this route, even if added again without
+   RTF_EXPIRES (in case of a RA announcement with infinite timeout),
+   does not cause the rt6i_nsiblings logic to go wrong if a later RA
+   updates the expiration time later.
+
+v3:
+a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so,
+   because an pmtu event could update the RTF_EXPIRES flag and we would
+   not count this route, if another route joins this set. We now filter
+   only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that
+   don't get changed after rt6_info construction.
+
+Cc: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
+Signed-off-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index 192dd1a..5fc9c7a 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -632,6 +632,12 @@ insert_above:
+ 	return ln;
+ }
+ 
++static inline bool rt6_qualify_for_ecmp(struct rt6_info *rt)
++{
++	return (rt->rt6i_flags & (RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC)) ==
++	       RTF_GATEWAY;
++}
++
+ /*
+  *	Insert routing information in a node.
+  */
+@@ -646,6 +652,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
+ 	int add = (!info->nlh ||
+ 		   (info->nlh->nlmsg_flags & NLM_F_CREATE));
+ 	int found = 0;
++	bool rt_can_ecmp = rt6_qualify_for_ecmp(rt);
+ 
+ 	ins = &fn->leaf;
+ 
+@@ -691,9 +698,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
+ 			 * To avoid long list, we only had siblings if the
+ 			 * route have a gateway.
+ 			 */
+-			if (rt->rt6i_flags & RTF_GATEWAY &&
+-			    !(rt->rt6i_flags & RTF_EXPIRES) &&
+-			    !(iter->rt6i_flags & RTF_EXPIRES))
++			if (rt_can_ecmp &&
++			    rt6_qualify_for_ecmp(iter))
+ 				rt->rt6i_nsiblings++;
+ 		}
+ 
+@@ -715,7 +721,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
+ 		/* Find the first route that have the same metric */
+ 		sibling = fn->leaf;
+ 		while (sibling) {
+-			if (sibling->rt6i_metric == rt->rt6i_metric) {
++			if (sibling->rt6i_metric == rt->rt6i_metric &&
++			    rt6_qualify_for_ecmp(sibling)) {
+ 				list_add_tail(&rt->rt6i_siblings,
+ 					      &sibling->rt6i_siblings);
+ 				break;
+--
+cgit v0.9.2
diff --git a/kernel.spec b/kernel.spec
index 2f6e1f6..37bd684 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -805,6 +805,8 @@ Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
 #rhbz 976837
 Patch25065: fix-ext4-overflows.patch
 
+Patch26000: cve-2013-4125.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1547,6 +1549,8 @@ ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch
 #rhbz 976837
 ApplyPatch fix-ext4-overflows.patch
 
+ApplyPatch cve-2013-4125.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2392,6 +2396,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Fri Jul 19 2013 Dave Jones <davej at redhat.com>
+- CVE-2013-4125  ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664)
+
 * Sat Jul 13 2013 Josh Boyer <jwboyer at redhat.com> - 3.9.10-200
 - Linux v3.9.10

More information about the scm-commits mailing list