oss-security - Re: CVE Request -- kernel: net: slab corruption due to improper synchronization around inet->opt

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 31 Aug 2012 12:37:58 -0700
From: akuster <akuster@...sta.com>
To: Petr Matousek <pmatouse@...hat.com>
CC: oss-security@...ts.openwall.com
Subject: Re: CVE Request -- kernel: net: slab corruption due
 to improper synchronization around inet->opt


Petr,

Is there a range of affected kernel versions?

Was this issue introduced by 1c32c5ad6fac8cee1a77449f5abf211e911ff830?

- Armin

On 08/31/2012 09:11 AM, Petr Matousek wrote:
> Description of the problem:
> Lack proper synchronization to manipulate inet->opt ip_options can lead
> to system crash.
> 
> Problem is that ip_make_skb() calls ip_setup_cork() and ip_setup_cork()
> possibly makes a copy of ipc->opt (struct ip_options), without any
> protection against another thread manipulating inet->opt. Another thread
> can change inet->opt pointer and free old one under us.
> 
> Given right server application (setting socket options and processing
> traffic over the same socket at the same time), remote attacker could
> use this flaw to crash the system. More likely though, local
> unprivileged user could use this flaw to crash the system.
> 
> Upstream fix:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f6d8bd051c391c1c0458a30b2a7abcd939329259
> 
> Thanks,
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.