Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 02 Jul 2013 12:34:16 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marcus Meissner <meissner@...e.de>
Subject: Re: CVE Request: kernel: ipv6: using ipv4 vs ipv6
 structure during routing lookup in sendmsg

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/02/2013 03:14 AM, Marcus Meissner wrote:
> Hi,
> 
> Also fresh in the mainline kernel and spotted by trinity:
> 
> commit a963a37d384d71ad43b3e9e79d68d42fbe0901f3 Author: Eric
> Dumazet <edumazet@...gle.com> Date:   Wed Jun 26 04:15:07 2013
> -0700
> 
> ipv6: ip6_sk_dst_check() must not assume ipv6 dst
> 
> It's possible to use AF_INET6 sockets and to connect to an IPv4 
> destination. After this, socket dst cache is a pointer to a
> rtable, not rt6_info.
> 
> ip6_sk_dst_check() should check the socket dst cache is IPv6, or
> else various corruptions/crashes can happen.
> 
> Dave Jones can reproduce immediate crash with trinity -q -l off -n
> -c sendmsg -c connect
> 
> With help from Hannes Frederic Sowa
> 
> Reported-by: Dave Jones <davej@...hat.com> Reported-by: Hannes
> Frederic Sowa <hannes@...essinduktion.org> Signed-off-by: Eric
> Dumazet <edumazet@...gle.com> Acked-by: Hannes Frederic Sowa
> <hannes@...essinduktion.org> Signed-off-by: David S. Miller
> <davem@...emloft.net>
> 
> 
> Can be triggered by non-root users according to Eric, so needs a
> CVE.
> 
> Ciao, Marcus

Confirmed, locks up good. Please use CVE-2013-2232 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR0x0nAAoJEBYNRVNeJnmTOWoP/35zG1obrsUImHs3e1/GorYy
2sDC8W2fxHMWj0Fhk/V7xw6+um5S5/5e/l3ZqKGWENoilslI51wRY0qrvUr3dzzT
yx5RubpSZQQyq7lD//bynl65JoZ7K+2tOUxpera7DW09vDQjgmpuYjsZJNbgpmLp
rgCkWznBJwLpj83xzTjct0ALoEX9GJ5T1niF42BLEyRCkrCSpAiP4ja2b7cKvX/p
n2W7sNLTkVm+0c8tDDPmvSPJeWEknZEB7iOz+gN2lLNNv6Ji5QdNw0hTc8sPextG
whMMQrhe6ToUFfYvMFqWIZY2Gm39MRtswhcQgra1Bi7+LQ41naRKQ++1GRJba96J
VDz8aE31/GRoWLZKkDfbLHI9AXnGyhsQdLsGq0s3TmyoeahINC6msGyoaYn7mkQ6
XK9W5ejqS/QNzjhy2Q1Rm7x3Qcc2wWSBHZr8qfFtYAMhrEdOwupxC+BLHvJ4XxO3
jVqe6hQtzVc72wIM8ais1iJP8c1rAtM4ELl5jgrGsgV8XsRAnYYGtEqPUQ9Lawte
IMg8yxlOBifGKT92IZvcoC1gyG527Z4+2uoNd26ajeXiCsIwzZ9/pbv3rCSdq81n
15Gr7tuRH0I9LT8/EfI5Xjm6JYDiEGe+zQMZXt+fww8Kn9xTprp2M6DOrZIo13O4
FtHIDJKazPNatsXRacq0
=6I6r
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.