Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 02 Jul 2013 12:34:16 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marcus Meissner <meissner@...e.de>
Subject: Re: CVE Request: kernel: ipv6: using ipv4 vs ipv6
 structure during routing lookup in sendmsg

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/02/2013 03:14 AM, Marcus Meissner wrote:
> Hi,
> 
> Also fresh in the mainline kernel and spotted by trinity:
> 
> commit a963a37d384d71ad43b3e9e79d68d42fbe0901f3 Author: Eric
> Dumazet <edumazet@...gle.com> Date:   Wed Jun 26 04:15:07 2013
> -0700
> 
> ipv6: ip6_sk_dst_check() must not assume ipv6 dst
> 
> It's possible to use AF_INET6 sockets and to connect to an IPv4 
> destination. After this, socket dst cache is a pointer to a
> rtable, not rt6_info.
> 
> ip6_sk_dst_check() should check the socket dst cache is IPv6, or
> else various corruptions/crashes can happen.
> 
> Dave Jones can reproduce immediate crash with trinity -q -l off -n
> -c sendmsg -c connect
> 
> With help from Hannes Frederic Sowa
> 
> Reported-by: Dave Jones <davej@...hat.com> Reported-by: Hannes
> Frederic Sowa <hannes@...essinduktion.org> Signed-off-by: Eric
> Dumazet <edumazet@...gle.com> Acked-by: Hannes Frederic Sowa
> <hannes@...essinduktion.org> Signed-off-by: David S. Miller
> <davem@...emloft.net>
> 
> 
> Can be triggered by non-root users according to Eric, so needs a
> CVE.
> 
> Ciao, Marcus

Confirmed, locks up good. Please use CVE-2013-2232 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR0x0nAAoJEBYNRVNeJnmTOWoP/35zG1obrsUImHs3e1/GorYy
2sDC8W2fxHMWj0Fhk/V7xw6+um5S5/5e/l3ZqKGWENoilslI51wRY0qrvUr3dzzT
yx5RubpSZQQyq7lD//bynl65JoZ7K+2tOUxpera7DW09vDQjgmpuYjsZJNbgpmLp
rgCkWznBJwLpj83xzTjct0ALoEX9GJ5T1niF42BLEyRCkrCSpAiP4ja2b7cKvX/p
n2W7sNLTkVm+0c8tDDPmvSPJeWEknZEB7iOz+gN2lLNNv6Ji5QdNw0hTc8sPextG
whMMQrhe6ToUFfYvMFqWIZY2Gm39MRtswhcQgra1Bi7+LQ41naRKQ++1GRJba96J
VDz8aE31/GRoWLZKkDfbLHI9AXnGyhsQdLsGq0s3TmyoeahINC6msGyoaYn7mkQ6
XK9W5ejqS/QNzjhy2Q1Rm7x3Qcc2wWSBHZr8qfFtYAMhrEdOwupxC+BLHvJ4XxO3
jVqe6hQtzVc72wIM8ais1iJP8c1rAtM4ELl5jgrGsgV8XsRAnYYGtEqPUQ9Lawte
IMg8yxlOBifGKT92IZvcoC1gyG527Z4+2uoNd26ajeXiCsIwzZ9/pbv3rCSdq81n
15Gr7tuRH0I9LT8/EfI5Xjm6JYDiEGe+zQMZXt+fww8Kn9xTprp2M6DOrZIo13O4
FtHIDJKazPNatsXRacq0
=6I6r
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ