From ${URL} : commit a963a37d384d71ad43b3e9e79d68d42fbe0901f3 Author: Eric Dumazet <edumazet@...gle.com> Date: Wed Jun 26 04:15:07 2013 -0700 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones <davej@...hat.com> Reported-by: Hannes Frederic Sowa <hannes@...essinduktion.org> Signed-off-by: Eric Dumazet <edumazet@...gle.com> Acked-by: Hannes Frederic Sowa <hannes@...essinduktion.org> Signed-off-by: David S. Miller <davem@...emloft.net>
Present in 3.10, not queued for earlier branches; applied patch in genpatches. ------------------------------------------------------------------------ r2430 | tomwij | 2013-07-03 17:23:58 +0200 (Wed, 03 Jul 2013) | 1 line Applied ipv6 sk_dst check fix against corruption and crashes for bug #475606 to branches 3.0, 3.2, 3.4 and 3.9. ------------------------------------------------------------------------
CVE-2013-2232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2232): The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.
In 3.4.55 onward