From: Ding Tianhong <dingtianhong@huawei.com>
To: "David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
James Morris <jmorris@namei.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Patrick McHardy <kaber@trash.net>,
Jon Maloy <jon.maloy@ericsson.com>,
Eric Dumazet <edumazet@google.com>,
Netdev <netdev@vger.kernel.org>, <kargig@void.gr>,
<ppandit@redhat.com>
Subject: Re: [PATCH 1/3 v4] ipv6: do not disable temp_address when reaching max_address
Date: Thu, 15 Aug 2013 10:16:51 +0800 [thread overview]
Message-ID: <520C3A13.3060106@huawei.com> (raw)
In-Reply-To: <20130815012457.GD13066@order.stressinduktion.org>
On 2013/8/15 9:24, Hannes Frederic Sowa wrote:
> On Thu, Aug 15, 2013 at 08:43:06AM +0800, Ding Tianhong wrote:
>> On 2013/8/14 18:15, Hannes Frederic Sowa wrote:
>>> On Wed, Aug 14, 2013 at 05:06:54PM +0800, Ding Tianhong wrote:
>>>> A LAN user can remotely disable temporary address which may lead
>>>> to privacy violatins and information disclosure.
>>>>
>>>> The reason is that the linux kernel uses the 'ipv6.max_addresses'
>>>> option to specify how many ipv6 addresses and interface may have.
>>>> The 'ipv6.regen_max_retry' (default value 3) option specifies
>>>> how many times the kernel will try to create a new address.
>>>>
>>>> But the kernel is not distinguish between the event of reaching
>>>> max_addresses for an interface and failing to generate a new address.
>>>> the kernel disable the temporary address after regenerate a new
>>>> address 'regen_max_retry' times.
>>>>
>>>> According RFC4941 3.3.7:
>>>>
>>>> ---------------------------------------
>>>>
>>>> If DAD indicates the address is already in use,
>>>> the node must generate a new randomized interface
>>>> identifier as described in section 3.2 above, and
>>>> repeat the previous steps as appropriate up to
>>>> TEMP_IDGEN_RETRIES times.
>>>>
>>>> If after TEMP_IDGEN_RETRIES consecutive attempts no
>>>> non-unique address was generated, the node must log
>>>> a system error and must not attempt to generate
>>>> temporary address for that interface.
>>>>
>>>> ------------------------------------------
>>>>
>>>> RFC4941 3.3.7 specifies that disabling the temp_address must happen
>>>> upon the address is already in use, not reach the max_address,
>>>> So we have to check the return err and distinguish the correct retry path.
>>>>
>>>> This fixes CVE-2013-0343
>>>
>>> I don't think this patch fixes CVE-2013-0343.
>>>
>>>>
>>>> Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
>>>> Tested-by: Wang Weidong <wangweidong1@huawei.com>
>>>> Cc: David S. Miller <davem@davemloft.net>
>>>> Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
>>>> Cc: Eric Dumazet <edumazet@google.com>
>>>> ---
>>>> net/ipv6/addrconf.c | 26 ++++++++++++++++++++++----
>>>> 1 file changed, 22 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
>>>> index da4241c..7b55464 100644
>>>> --- a/net/ipv6/addrconf.c
>>>> +++ b/net/ipv6/addrconf.c
>>>> @@ -1134,10 +1134,28 @@ retry:
>>>> if (IS_ERR_OR_NULL(ift)) {
>>>> in6_ifa_put(ifp);
>>>> in6_dev_put(idev);
>>>> - pr_info("%s: retry temporary address regeneration\n", __func__);
>>>> - tmpaddr = &addr;
>>>> - write_lock(&idev->lock);
>>>> - goto retry;
>>>> +
>>>> + /* According RFC4941 3.3.7:
>>>> + * If DAD indicates the address is already in use,
>>>> + * the node must generate a new randomized interface
>>>> + * identifier as described in section 3.2 above, and
>>>> + * repeat the previous steps as appropriate up to
>>>> + * TEMP_IDGEN_RETRIES times.
>>>> + * If after TEMP_IDGEN_RETRIES consecutive attempts no
>>>> + * non-unique address was generated, the node must log
>>>> + * a system error and must not attempt to generate
>>>> + * temporary address for that interface.
>>>> + * So we have to check the return err and distinguish
>>>> + * the correct retry path.
>>>> + */
>>>> + if (PTR_ERR(ift) == -EEXIST) {
>>>
>>> -EEXIST is not the same as "ipv6 address is is already used on the
>>> subnet". I really don't see the point here. IMHO this breaks the intended
>>> regeneration logic.
>>>
>>> I fear a fix of CVE-2013-0343 will be a bit more complicated. ;) I give it a
>>> thought.
>>>
>>> Greetings,
>>>
>>> Hannes
>>>
>>>
>> ok, thanks for your feedback, I'll waiting you for more information to fix the problem.:)
>
> [added George Kargiotakis and P J P to Cc and full quote]
>
> I wonder if the easiest solution would be to just drop the max_addresses
> limit from ipv6_create_tempaddr. max_addresses protects the kernel from
> installing an unlimited amount of addresses on an interface which gets flooded
> by RAs. Because we have a direct relation between interface address to temp
> address, I don't see that we would create the possiblity of DoS.
>
> Sure, an audit and testing is needed.
>
> Greetings,
>
> Hannes
>
I am afraid that if remove the max limit from the ipv6_create_tempaddr, the tool flood_route26 attack will create huge address to the temp_list, it will be a huge list,
may it destroy something or not?
Best regards
Ding Tianhong
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> .
>
next prev parent reply other threads:[~2013-08-15 2:17 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-14 9:06 [PATCH 1/3 v4] ipv6: do not disable temp_address when reaching max_address Ding Tianhong
2013-08-14 10:15 ` Hannes Frederic Sowa
2013-08-15 0:43 ` Ding Tianhong
2013-08-15 1:24 ` Hannes Frederic Sowa
2013-08-15 2:16 ` Ding Tianhong [this message]
2013-08-15 17:36 ` Hannes Frederic Sowa
2013-08-15 19:07 ` Hannes Frederic Sowa
2013-08-16 0:48 ` Ding Tianhong
2013-08-16 11:07 ` Hannes Frederic Sowa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=520C3A13.3060106@huawei.com \
--to=dingtianhong@huawei.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jmorris@namei.org \
--cc=jon.maloy@ericsson.com \
--cc=kaber@trash.net \
--cc=kargig@void.gr \
--cc=kuznet@ms2.inr.ac.ru \
--cc=netdev@vger.kernel.org \
--cc=ppandit@redhat.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.