Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 4 Jan 2011 15:31:31 -0800
From: Greg KH <greg@...ah.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE-2010-4526 kernel: sctp: a race between ICMP
 protocol unreachable and connect()

On Tue, Jan 04, 2011 at 02:33:04PM +0800, Eugene Teo wrote:
> http://git.kernel.org/linus/50b5d6ad63821cea324a5a7a19854d4de1a0a819
> https://bugzilla.redhat.com/CVE-2010-4526
> 
> commit 50b5d6ad63821cea324a5a7a19854d4de1a0a819
> Author: Vlad Yasevich <vladislav.yasevich@...com>
> Date:   Thu May 6 00:56:07 2010 -0700
> 
> sctp: Fix a race between ICMP protocol unreachable and connect()
> 
>     ICMP protocol unreachable handling completely disregarded
>     the fact that the user may have locked the socket.  It proceeded
>     to destroy the association, even though the user may have
>     held the lock and had a ref on the association.
> [...]
>     This was because the sctp_wait_for_connect() would aqcure the socket
>     lock and then proceed to release the last reference count on the
>     association, thus cause the fully destruction path to finish freeing
>     the socket.
> 
> This affects kernels v2.6.11-rc2 and above.

Not all, it was fixed in the 2.6.34 kernel, which was released back in
May of 2010.

thanks,

greg k-h

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ