lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Aug 2013 17:06:54 +0800 From: Ding Tianhong <dingtianhong@...wei.com> To: "David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov <kuznet@....inr.ac.ru>, James Morris <jmorris@...ei.org>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, Patrick McHardy <kaber@...sh.net>, Jon Maloy <jon.maloy@...csson.com>, Eric Dumazet <edumazet@...gle.com>, Netdev <netdev@...r.kernel.org> Subject: [PATCH 1/3 v4] ipv6: do not disable temp_address when reaching max_address A LAN user can remotely disable temporary address which may lead to privacy violatins and information disclosure. The reason is that the linux kernel uses the 'ipv6.max_addresses' option to specify how many ipv6 addresses and interface may have. The 'ipv6.regen_max_retry' (default value 3) option specifies how many times the kernel will try to create a new address. But the kernel is not distinguish between the event of reaching max_addresses for an interface and failing to generate a new address. the kernel disable the temporary address after regenerate a new address 'regen_max_retry' times. According RFC4941 3.3.7: --------------------------------------- If DAD indicates the address is already in use, the node must generate a new randomized interface identifier as described in section 3.2 above, and repeat the previous steps as appropriate up to TEMP_IDGEN_RETRIES times. If after TEMP_IDGEN_RETRIES consecutive attempts no non-unique address was generated, the node must log a system error and must not attempt to generate temporary address for that interface. ------------------------------------------ RFC4941 3.3.7 specifies that disabling the temp_address must happen upon the address is already in use, not reach the max_address, So we have to check the return err and distinguish the correct retry path. This fixes CVE-2013-0343 Signed-off-by: Ding Tianhong <dingtianhong@...wei.com> Tested-by: Wang Weidong <wangweidong1@...wei.com> Cc: David S. Miller <davem@...emloft.net> Cc: Sergei Shtylyov <sergei.shtylyov@...entembedded.com> Cc: Eric Dumazet <edumazet@...gle.com> --- net/ipv6/addrconf.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index da4241c..7b55464 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -1134,10 +1134,28 @@ retry: if (IS_ERR_OR_NULL(ift)) { in6_ifa_put(ifp); in6_dev_put(idev); - pr_info("%s: retry temporary address regeneration\n", __func__); - tmpaddr = &addr; - write_lock(&idev->lock); - goto retry; + + /* According RFC4941 3.3.7: + * If DAD indicates the address is already in use, + * the node must generate a new randomized interface + * identifier as described in section 3.2 above, and + * repeat the previous steps as appropriate up to + * TEMP_IDGEN_RETRIES times. + * If after TEMP_IDGEN_RETRIES consecutive attempts no + * non-unique address was generated, the node must log + * a system error and must not attempt to generate + * temporary address for that interface. + * So we have to check the return err and distinguish + * the correct retry path. + */ + if (PTR_ERR(ift) == -EEXIST) { + pr_info("%s: retry temporary address regeneration\n", __func__); + tmpaddr = &addr; + write_lock(&idev->lock); + goto retry; + } + /* do not retry if the err code is not -EEXIST */ + goto out; } spin_lock_bh(&ift->lock); -- 1.8.2.1 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists