[v3.0] kernel: net: multiple issues (CVE-2015-1421, CVE-2015-1465)
CVE-2015-1421: sctp: slab corruption from use after free on INIT
collisions
The Linux Kernel is prone to a local denial-of-service vulnerability.
Local attackers can exploit this issue to cause a denial-of-service
condition.
Fixed in 3.14.34. Not sure if 3.10.y is vulnerable.
http://seclists.org/oss-sec/2015/q1/334
http://www.securityfocus.com/bid/72356/references
UPSTREAM:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=600ddd6825543962fb807884169e57b580dba208
3.14.y:
https://github.com/torvalds/linux/commit/faf1368dedf9cc98ef35c9ec6d2677ff5e98b090
CVE-2015-1465: DoS due to routing packets to too many different dsts/too fast
Fixed in 3.14.34. Not sure if 3.10.y is vulnerable.
Comment to the issue from the upstream fix:
Not caching dst_entries which cause redirects could be exploited by hosts on the same subnet, causing a severe DoS attack. This effect aggravated since commit f88649721268999 (“ipv4: fix dst race in sk_dst_get()”).
Lookups causing redirects will be allocated with DST_NOCACHE set which will force dst_release to free them via RCU. Unfortunately waiting for RCU grace period just takes too long, we can end up with >1M dst_entries waiting to be released and the system will run OOM. rcuos threads cannot catch up under high softirq load.
Attaching the flag to emit a redirect later on to the specific skb allows us to cache those dst_entries thus reducing the pressure on allocation and deallocation.
This issue was discovered by Marcelo Leitner.
http://seclists.org/oss-sec/2015/q1/400
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1465
UPSTREAM:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=df4d92549f23e1c037e83323aff58a21b3de7fe0
3.14.y:
https://github.com/torvalds/linux/commit/ee6db0ad53c9805d31bd1b0b7c9ea901407dfc19
(from redmine: issue id 4037, created on 2015-04-06, closed on 2017-09-05)
- Relations:
- parent #4034