Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Nov 2012 14:32:22 -0700
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2012-5532 hypervkvpd DoS

* [2012-11-27 11:55:35 -0700] Vincent Danen wrote:

>* [2012-11-27 11:21:03 -0700] Vincent Danen wrote:
>
>>Just a heads-up on a flaw that was found:
>>
>>Florian Weimer of the Red Hat Product Security Team discovered that hypervkvpd
>>would exit when it processed a spoofed Netlink packet that had been sent from
>>an untrusted local user, in the following code:
>>
>>       len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
>>               addr_p, &addr_l);
>>
>>       if (len < 0 || addr.nl_pid) {
>>           syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
>>                   addr.nl_pid, errno, strerror(errno));
>>           close(fd);
>>           return -1;
>>       }
>>
>>This has been corrected upstream already.
>>
>>References:
>>
>>https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=commit;h=95a69adab9acfc3981c504737a2b6578e4d846ef
>>https://bugzilla.redhat.com/show_bug.cgi?id=877572
>
>Ooops.  This is a bit embarrassing.
>
>This is actually CVE-2012-2669.  Please reject CVE-2012-5532 as a
>duplicate of CVE-2012-2669.
>
>Thanks.

Wow, ok, this is a little convoluted.  These actually are not the same
thing.

The old fix is here (so this would be CVE-2012-2669):

https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=blobdiff;f=tools/hv/hv_kvp_daemon.c;h=d9834b36294373f88d29731350ccc9d384b41788;hp=146fd6147e84be5cde2a66009f331f1b6ee2b805;hb=bcc2c9c3fff859e0eb019fe6fec26f9b8eba795c;hpb=cfaf025112d3856637ff34a767ef785ef5cf2ca9

This, however, while detecting the spoofed netlink packet would still
cause the daemon to exit.  I'm not sure whether or not it actually fixed
anything.

This fix:

https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=blobdiff;f=tools/hv/hv_kvp_daemon.c;h=c1d910243d49abe6012595d50227648873994ed8;hp=13c2a142331defeb539e40b9fe4d942f66c3aa4a;hb=95a69adab9acfc3981c504737a2b6578e4d846ef;hpb=aeba4a06f28fad11b1e61d150bd3cde3008b80c8

fixes the previous commit so that now the daemon no longer exits on
these bad packets.  This would be CVE-2012-5532.

So CVE-2012-2669 is for "failing to check origin of netlink messages"
and CVE-2012-5532 is for the "exiting upon receipt of spoofed netlink
messages" (or something to that effect anyways).

My apologies for the noise.

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ