f4a4f324cb
Fixes the following security vulnerabilities: CVE-2017-8890 The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. CVE-2017-9074 The IPv6 fragmentation implementation in the Linux kernel through 4.11.1 does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. CVE-2017-9075 The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. CVE-2017-9076 The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. CVE-2017-9077 The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. CVE-2017-9242 The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls. Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890 Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074 Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075 Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076 Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077 Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242 Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.71 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
249 lines
8.3 KiB
Diff
249 lines
8.3 KiB
Diff
From 1b5aaa4b16f6e6471ab1c07b38068197a1b4c395 Mon Sep 17 00:00:00 2001
|
|
From: Jonas Gorski <jogo@openwrt.org>
|
|
Date: Fri, 24 May 2013 14:40:54 +0200
|
|
Subject: [PATCH 1/2] ipv6: allow rejecting with "source address failed policy"
|
|
|
|
RFC6204 L-14 requires rejecting traffic from invalid addresses with
|
|
ICMPv6 Destination Unreachable, Code 5 (Source address failed ingress/
|
|
egress policy) on the LAN side, so add an appropriate rule for that.
|
|
|
|
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
|
|
---
|
|
include/net/netns/ipv6.h | 1 +
|
|
include/uapi/linux/fib_rules.h | 4 +++
|
|
include/uapi/linux/rtnetlink.h | 1 +
|
|
net/ipv4/fib_semantics.c | 4 +++
|
|
net/ipv4/fib_trie.c | 1 +
|
|
net/ipv4/ipmr.c | 1 +
|
|
net/ipv6/fib6_rules.c | 4 +++
|
|
net/ipv6/ip6mr.c | 2 ++
|
|
net/ipv6/route.c | 58 +++++++++++++++++++++++++++++++++++++++++-
|
|
9 files changed, 75 insertions(+), 1 deletion(-)
|
|
|
|
--- a/include/net/netns/ipv6.h
|
|
+++ b/include/net/netns/ipv6.h
|
|
@@ -63,6 +63,7 @@ struct netns_ipv6 {
|
|
unsigned long ip6_rt_last_gc;
|
|
#ifdef CONFIG_IPV6_MULTIPLE_TABLES
|
|
struct rt6_info *ip6_prohibit_entry;
|
|
+ struct rt6_info *ip6_policy_failed_entry;
|
|
struct rt6_info *ip6_blk_hole_entry;
|
|
struct fib6_table *fib6_local_tbl;
|
|
struct fib_rules_ops *fib6_rules_ops;
|
|
--- a/include/uapi/linux/fib_rules.h
|
|
+++ b/include/uapi/linux/fib_rules.h
|
|
@@ -64,6 +64,10 @@ enum {
|
|
FR_ACT_BLACKHOLE, /* Drop without notification */
|
|
FR_ACT_UNREACHABLE, /* Drop with ENETUNREACH */
|
|
FR_ACT_PROHIBIT, /* Drop with EACCES */
|
|
+ FR_ACT_RES9,
|
|
+ FR_ACT_RES10,
|
|
+ FR_ACT_RES11,
|
|
+ FR_ACT_POLICY_FAILED, /* Drop with EACCES */
|
|
__FR_ACT_MAX,
|
|
};
|
|
|
|
--- a/include/uapi/linux/rtnetlink.h
|
|
+++ b/include/uapi/linux/rtnetlink.h
|
|
@@ -210,6 +210,7 @@ enum {
|
|
RTN_THROW, /* Not in this table */
|
|
RTN_NAT, /* Translate this address */
|
|
RTN_XRESOLVE, /* Use external resolver */
|
|
+ RTN_POLICY_FAILED, /* Failed ingress/egress policy */
|
|
__RTN_MAX
|
|
};
|
|
|
|
--- a/net/ipv4/fib_semantics.c
|
|
+++ b/net/ipv4/fib_semantics.c
|
|
@@ -138,6 +138,10 @@ const struct fib_prop fib_props[RTN_MAX
|
|
.error = -EINVAL,
|
|
.scope = RT_SCOPE_NOWHERE,
|
|
},
|
|
+ [RTN_POLICY_FAILED] = {
|
|
+ .error = -EACCES,
|
|
+ .scope = RT_SCOPE_UNIVERSE,
|
|
+ },
|
|
};
|
|
|
|
static void rt_fibinfo_free(struct rtable __rcu **rtp)
|
|
--- a/net/ipv4/fib_trie.c
|
|
+++ b/net/ipv4/fib_trie.c
|
|
@@ -2370,6 +2370,7 @@ static const char *const rtn_type_names[
|
|
[RTN_THROW] = "THROW",
|
|
[RTN_NAT] = "NAT",
|
|
[RTN_XRESOLVE] = "XRESOLVE",
|
|
+ [RTN_POLICY_FAILED] = "POLICY_FAILED",
|
|
};
|
|
|
|
static inline const char *rtn_type(char *buf, size_t len, unsigned int t)
|
|
--- a/net/ipv4/ipmr.c
|
|
+++ b/net/ipv4/ipmr.c
|
|
@@ -182,6 +182,7 @@ static int ipmr_rule_action(struct fib_r
|
|
case FR_ACT_UNREACHABLE:
|
|
return -ENETUNREACH;
|
|
case FR_ACT_PROHIBIT:
|
|
+ case FR_ACT_POLICY_FAILED:
|
|
return -EACCES;
|
|
case FR_ACT_BLACKHOLE:
|
|
default:
|
|
--- a/net/ipv6/fib6_rules.c
|
|
+++ b/net/ipv6/fib6_rules.c
|
|
@@ -84,6 +84,10 @@ static int fib6_rule_action(struct fib_r
|
|
err = -EACCES;
|
|
rt = net->ipv6.ip6_prohibit_entry;
|
|
goto discard_pkt;
|
|
+ case FR_ACT_POLICY_FAILED:
|
|
+ err = -EACCES;
|
|
+ rt = net->ipv6.ip6_policy_failed_entry;
|
|
+ goto discard_pkt;
|
|
}
|
|
|
|
table = fib6_get_table(net, rule->table);
|
|
--- a/net/ipv6/ip6mr.c
|
|
+++ b/net/ipv6/ip6mr.c
|
|
@@ -167,6 +167,8 @@ static int ip6mr_rule_action(struct fib_
|
|
return -ENETUNREACH;
|
|
case FR_ACT_PROHIBIT:
|
|
return -EACCES;
|
|
+ case FR_ACT_POLICY_FAILED:
|
|
+ return -EACCES;
|
|
case FR_ACT_BLACKHOLE:
|
|
default:
|
|
return -EINVAL;
|
|
--- a/net/ipv6/route.c
|
|
+++ b/net/ipv6/route.c
|
|
@@ -90,6 +90,8 @@ static int ip6_pkt_discard(struct sk_bu
|
|
static int ip6_pkt_discard_out(struct net *net, struct sock *sk, struct sk_buff *skb);
|
|
static int ip6_pkt_prohibit(struct sk_buff *skb);
|
|
static int ip6_pkt_prohibit_out(struct net *net, struct sock *sk, struct sk_buff *skb);
|
|
+static int ip6_pkt_policy_failed(struct sk_buff *skb);
|
|
+static int ip6_pkt_policy_failed_out(struct net *net, struct sock *sk, struct sk_buff *skb);
|
|
static void ip6_link_failure(struct sk_buff *skb);
|
|
static void ip6_rt_update_pmtu(struct dst_entry *dst, struct sock *sk,
|
|
struct sk_buff *skb, u32 mtu);
|
|
@@ -297,6 +299,21 @@ static const struct rt6_info ip6_prohibi
|
|
.rt6i_ref = ATOMIC_INIT(1),
|
|
};
|
|
|
|
+static const struct rt6_info ip6_policy_failed_entry_template = {
|
|
+ .dst = {
|
|
+ .__refcnt = ATOMIC_INIT(1),
|
|
+ .__use = 1,
|
|
+ .obsolete = DST_OBSOLETE_FORCE_CHK,
|
|
+ .error = -EACCES,
|
|
+ .input = ip6_pkt_policy_failed,
|
|
+ .output = ip6_pkt_policy_failed_out,
|
|
+ },
|
|
+ .rt6i_flags = (RTF_REJECT | RTF_NONEXTHOP),
|
|
+ .rt6i_protocol = RTPROT_KERNEL,
|
|
+ .rt6i_metric = ~(u32) 0,
|
|
+ .rt6i_ref = ATOMIC_INIT(1),
|
|
+};
|
|
+
|
|
static const struct rt6_info ip6_blk_hole_entry_template = {
|
|
.dst = {
|
|
.__refcnt = ATOMIC_INIT(1),
|
|
@@ -1889,6 +1906,11 @@ static struct rt6_info *ip6_route_info_c
|
|
rt->dst.output = ip6_pkt_prohibit_out;
|
|
rt->dst.input = ip6_pkt_prohibit;
|
|
break;
|
|
+ case RTN_POLICY_FAILED:
|
|
+ rt->dst.error = -EACCES;
|
|
+ rt->dst.output = ip6_pkt_policy_failed_out;
|
|
+ rt->dst.input = ip6_pkt_policy_failed;
|
|
+ break;
|
|
case RTN_THROW:
|
|
case RTN_UNREACHABLE:
|
|
default:
|
|
@@ -2492,6 +2514,17 @@ static int ip6_pkt_prohibit_out(struct n
|
|
return ip6_pkt_drop(skb, ICMPV6_ADM_PROHIBITED, IPSTATS_MIB_OUTNOROUTES);
|
|
}
|
|
|
|
+static int ip6_pkt_policy_failed(struct sk_buff *skb)
|
|
+{
|
|
+ return ip6_pkt_drop(skb, ICMPV6_POLICY_FAIL, IPSTATS_MIB_INNOROUTES);
|
|
+}
|
|
+
|
|
+static int ip6_pkt_policy_failed_out(struct net *net, struct sock *sk, struct sk_buff *skb)
|
|
+{
|
|
+ skb->dev = skb_dst(skb)->dev;
|
|
+ return ip6_pkt_drop(skb, ICMPV6_POLICY_FAIL, IPSTATS_MIB_OUTNOROUTES);
|
|
+}
|
|
+
|
|
/*
|
|
* Allocate a dst for local (unicast / anycast) address.
|
|
*/
|
|
@@ -2734,7 +2767,8 @@ static int rtm_to_fib6_config(struct sk_
|
|
if (rtm->rtm_type == RTN_UNREACHABLE ||
|
|
rtm->rtm_type == RTN_BLACKHOLE ||
|
|
rtm->rtm_type == RTN_PROHIBIT ||
|
|
- rtm->rtm_type == RTN_THROW)
|
|
+ rtm->rtm_type == RTN_THROW ||
|
|
+ rtm->rtm_type == RTN_POLICY_FAILED)
|
|
cfg->fc_flags |= RTF_REJECT;
|
|
|
|
if (rtm->rtm_type == RTN_LOCAL)
|
|
@@ -3093,6 +3127,9 @@ static int rt6_fill_node(struct net *net
|
|
case -EACCES:
|
|
rtm->rtm_type = RTN_PROHIBIT;
|
|
break;
|
|
+ case -EPERM:
|
|
+ rtm->rtm_type = RTN_POLICY_FAILED;
|
|
+ break;
|
|
case -EAGAIN:
|
|
rtm->rtm_type = RTN_THROW;
|
|
break;
|
|
@@ -3372,6 +3409,8 @@ static int ip6_route_dev_notify(struct n
|
|
#ifdef CONFIG_IPV6_MULTIPLE_TABLES
|
|
net->ipv6.ip6_prohibit_entry->dst.dev = dev;
|
|
net->ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(dev);
|
|
+ net->ipv6.ip6_policy_failed_entry->dst.dev = dev;
|
|
+ net->ipv6.ip6_policy_failed_entry->rt6i_idev = in6_dev_get(dev);
|
|
net->ipv6.ip6_blk_hole_entry->dst.dev = dev;
|
|
net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev);
|
|
#endif
|
|
@@ -3594,6 +3633,17 @@ static int __net_init ip6_route_net_init
|
|
net->ipv6.ip6_blk_hole_entry->dst.ops = &net->ipv6.ip6_dst_ops;
|
|
dst_init_metrics(&net->ipv6.ip6_blk_hole_entry->dst,
|
|
ip6_template_metrics, true);
|
|
+
|
|
+ net->ipv6.ip6_policy_failed_entry =
|
|
+ kmemdup(&ip6_policy_failed_entry_template,
|
|
+ sizeof(*net->ipv6.ip6_policy_failed_entry), GFP_KERNEL);
|
|
+ if (!net->ipv6.ip6_policy_failed_entry)
|
|
+ goto out_ip6_blk_hole_entry;
|
|
+ net->ipv6.ip6_policy_failed_entry->dst.path =
|
|
+ (struct dst_entry *)net->ipv6.ip6_policy_failed_entry;
|
|
+ net->ipv6.ip6_policy_failed_entry->dst.ops = &net->ipv6.ip6_dst_ops;
|
|
+ dst_init_metrics(&net->ipv6.ip6_policy_failed_entry->dst,
|
|
+ ip6_template_metrics, true);
|
|
#endif
|
|
|
|
net->ipv6.sysctl.flush_delay = 0;
|
|
@@ -3612,6 +3662,8 @@ out:
|
|
return ret;
|
|
|
|
#ifdef CONFIG_IPV6_MULTIPLE_TABLES
|
|
+out_ip6_blk_hole_entry:
|
|
+ kfree(net->ipv6.ip6_blk_hole_entry);
|
|
out_ip6_prohibit_entry:
|
|
kfree(net->ipv6.ip6_prohibit_entry);
|
|
out_ip6_null_entry:
|
|
@@ -3629,6 +3681,7 @@ static void __net_exit ip6_route_net_exi
|
|
#ifdef CONFIG_IPV6_MULTIPLE_TABLES
|
|
kfree(net->ipv6.ip6_prohibit_entry);
|
|
kfree(net->ipv6.ip6_blk_hole_entry);
|
|
+ kfree(net->ipv6.ip6_policy_failed_entry);
|
|
#endif
|
|
dst_entries_destroy(&net->ipv6.ip6_dst_ops);
|
|
}
|
|
@@ -3702,6 +3755,9 @@ void __init ip6_route_init_special_entri
|
|
init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
|
|
init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev;
|
|
init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
|
|
+ init_net.ipv6.ip6_policy_failed_entry->dst.dev = init_net.loopback_dev;
|
|
+ init_net.ipv6.ip6_policy_failed_entry->rt6i_idev =
|
|
+ in6_dev_get(init_net.loopback_dev);
|
|
#endif
|
|
}
|
|
|