From: Ding Tianhong <dingtianhong@huawei.com>
To: "David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
James Morris <jmorris@namei.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Patrick McHardy <kaber@trash.net>,
Jon Maloy <jon.maloy@ericsson.com>,
Eric Dumazet <edumazet@google.com>,
Netdev <netdev@vger.kernel.org>
Subject: Re: [PATCH 1/3 v4] ipv6: do not disable temp_address when reaching max_address
Date: Thu, 15 Aug 2013 08:43:06 +0800 [thread overview]
Message-ID: <520C241A.2030708@huawei.com> (raw)
In-Reply-To: <20130814101511.GC16264@order.stressinduktion.org>
On 2013/8/14 18:15, Hannes Frederic Sowa wrote:
> On Wed, Aug 14, 2013 at 05:06:54PM +0800, Ding Tianhong wrote:
>> A LAN user can remotely disable temporary address which may lead
>> to privacy violatins and information disclosure.
>>
>> The reason is that the linux kernel uses the 'ipv6.max_addresses'
>> option to specify how many ipv6 addresses and interface may have.
>> The 'ipv6.regen_max_retry' (default value 3) option specifies
>> how many times the kernel will try to create a new address.
>>
>> But the kernel is not distinguish between the event of reaching
>> max_addresses for an interface and failing to generate a new address.
>> the kernel disable the temporary address after regenerate a new
>> address 'regen_max_retry' times.
>>
>> According RFC4941 3.3.7:
>>
>> ---------------------------------------
>>
>> If DAD indicates the address is already in use,
>> the node must generate a new randomized interface
>> identifier as described in section 3.2 above, and
>> repeat the previous steps as appropriate up to
>> TEMP_IDGEN_RETRIES times.
>>
>> If after TEMP_IDGEN_RETRIES consecutive attempts no
>> non-unique address was generated, the node must log
>> a system error and must not attempt to generate
>> temporary address for that interface.
>>
>> ------------------------------------------
>>
>> RFC4941 3.3.7 specifies that disabling the temp_address must happen
>> upon the address is already in use, not reach the max_address,
>> So we have to check the return err and distinguish the correct retry path.
>>
>> This fixes CVE-2013-0343
>
> I don't think this patch fixes CVE-2013-0343.
>
>>
>> Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
>> Tested-by: Wang Weidong <wangweidong1@huawei.com>
>> Cc: David S. Miller <davem@davemloft.net>
>> Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
>> Cc: Eric Dumazet <edumazet@google.com>
>> ---
>> net/ipv6/addrconf.c | 26 ++++++++++++++++++++++----
>> 1 file changed, 22 insertions(+), 4 deletions(-)
>>
>> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
>> index da4241c..7b55464 100644
>> --- a/net/ipv6/addrconf.c
>> +++ b/net/ipv6/addrconf.c
>> @@ -1134,10 +1134,28 @@ retry:
>> if (IS_ERR_OR_NULL(ift)) {
>> in6_ifa_put(ifp);
>> in6_dev_put(idev);
>> - pr_info("%s: retry temporary address regeneration\n", __func__);
>> - tmpaddr = &addr;
>> - write_lock(&idev->lock);
>> - goto retry;
>> +
>> + /* According RFC4941 3.3.7:
>> + * If DAD indicates the address is already in use,
>> + * the node must generate a new randomized interface
>> + * identifier as described in section 3.2 above, and
>> + * repeat the previous steps as appropriate up to
>> + * TEMP_IDGEN_RETRIES times.
>> + * If after TEMP_IDGEN_RETRIES consecutive attempts no
>> + * non-unique address was generated, the node must log
>> + * a system error and must not attempt to generate
>> + * temporary address for that interface.
>> + * So we have to check the return err and distinguish
>> + * the correct retry path.
>> + */
>> + if (PTR_ERR(ift) == -EEXIST) {
>
> -EEXIST is not the same as "ipv6 address is is already used on the
> subnet". I really don't see the point here. IMHO this breaks the intended
> regeneration logic.
>
> I fear a fix of CVE-2013-0343 will be a bit more complicated. ;) I give it a
> thought.
>
> Greetings,
>
> Hannes
>
>
ok, thanks for your feedback, I'll waiting you for more information to fix the problem.:)
> .
>
next prev parent reply other threads:[~2013-08-15 0:43 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-14 9:06 [PATCH 1/3 v4] ipv6: do not disable temp_address when reaching max_address Ding Tianhong
2013-08-14 10:15 ` Hannes Frederic Sowa
2013-08-15 0:43 ` Ding Tianhong [this message]
2013-08-15 1:24 ` Hannes Frederic Sowa
2013-08-15 2:16 ` Ding Tianhong
2013-08-15 17:36 ` Hannes Frederic Sowa
2013-08-15 19:07 ` Hannes Frederic Sowa
2013-08-16 0:48 ` Ding Tianhong
2013-08-16 11:07 ` Hannes Frederic Sowa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=520C241A.2030708@huawei.com \
--to=dingtianhong@huawei.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jmorris@namei.org \
--cc=jon.maloy@ericsson.com \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.