[kernel/f20] CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064)

Josh Boyer jwboyer at fedoraproject.org
Tue Mar 11 13:03:53 UTC 2014 

commit 1dd978d38fda457a595109e85851032e626c0c90
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Mar 11 09:00:52 2014 -0400

    CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064)

 ...set-DST_NOCOUNT-for-remotely-added-routes.patch |   32 ++++++++++++++++++++
 kernel.spec                                        |    9 +++++
 2 files changed, 41 insertions(+), 0 deletions(-)
---
diff --git a/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch b/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
new file mode 100644
index 0000000..9c07c7e
--- /dev/null
+++ b/ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
@@ -0,0 +1,32 @@
+Bugzilla: 1074471
+Upstream-status: queued for 3.14
+
+From c88507fbad8055297c1d1e21e599f46960cbee39 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd at queasysnail.net>
+Date: Thu, 06 Mar 2014 16:51:57 +0000
+Subject: ipv6: don't set DST_NOCOUNT for remotely added routes
+
+DST_NOCOUNT should only be used if an authorized user adds routes
+locally. In case of routes which are added on behalf of router
+advertisments this flag must not get used as it allows an unlimited
+number of routes getting added remotely.
+
+Signed-off-by: Sabrina Dubroca <sd at queasysnail.net>
+Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 11dac21..fba54a4 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1513,7 +1513,7 @@ int ip6_route_add(struct fib6_config *cfg)
+ 	if (!table)
+ 		goto out;
+ 
+-	rt = ip6_dst_alloc(net, NULL, DST_NOCOUNT, table);
++	rt = ip6_dst_alloc(net, NULL, (cfg->fc_flags & RTF_ADDRCONF) ? 0 : DST_NOCOUNT, table);
+ 
+ 	if (!rt) {
+ 		err = -ENOMEM;
+--
+cgit v0.9.2
diff --git a/kernel.spec b/kernel.spec
index 992ff22..146b975 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -794,6 +794,9 @@ Patch25039: Revert-xhci-1.0-Limit-arbitrarily-aligned-scatter-gather.patch
 #rhbz 1065663
 Patch25040: iwlwifi-dvm-clear-IWL_STA_UCODE_INPROGRESS-when-asso.patch
 
+#CVE-2014-2309 rhbz 1074471 1075064
+Patch25041: ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1544,6 +1547,9 @@ ApplyPatch Revert-xhci-1.0-Limit-arbitrarily-aligned-scatter-gather.patch
 #rhbz 1065663
 ApplyPatch iwlwifi-dvm-clear-IWL_STA_UCODE_INPROGRESS-when-asso.patch
 
+#CVE-2014-2309 rhbz 1074471 1075064
+ApplyPatch ipv6-dont-set-DST_NOCOUNT-for-remotely-added-routes.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2355,6 +2361,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue Mar 11 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-2309 ipv6: crash due to router advertisment flooding (rhbz 1074471 1075064)
+
 * Fri Mar 07 2014 Justin M. Forbes <jforbes at fedoraproject.org> - 3.13.6-200
 - Linux v3.13.6

More information about the scm-commits mailing list