Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Nov 2012 09:08:20 +0100
From: Sebastian Krahmer <krahmer@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2012-5532 hypervkvpd DoS

Hi,

Indeed. CVE-2012-2669 was actually a fix from us, but it turns out
that it was too strict. Exiting makes indeed no sense. :/

Sebastian

On Tue, Nov 27, 2012 at 02:32:22PM -0700, Vincent Danen wrote:
> * [2012-11-27 11:55:35 -0700] Vincent Danen wrote:
>
>> * [2012-11-27 11:21:03 -0700] Vincent Danen wrote:
>>
>>> Just a heads-up on a flaw that was found:
>>>
>>> Florian Weimer of the Red Hat Product Security Team discovered that hypervkvpd
>>> would exit when it processed a spoofed Netlink packet that had been sent from
>>> an untrusted local user, in the following code:
>>>
>>>       len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
>>>               addr_p, &addr_l);
>>>
>>>       if (len < 0 || addr.nl_pid) {
>>>           syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
>>>                   addr.nl_pid, errno, strerror(errno));
>>>           close(fd);
>>>           return -1;
>>>       }
>>>
>>> This has been corrected upstream already.
>>>
>>> References:
>>>
>>> https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=commit;h=95a69adab9acfc3981c504737a2b6578e4d846ef
>>> https://bugzilla.redhat.com/show_bug.cgi?id=877572
>>
>> Ooops.  This is a bit embarrassing.
>>
>> This is actually CVE-2012-2669.  Please reject CVE-2012-5532 as a
>> duplicate of CVE-2012-2669.
>>
>> Thanks.
>
> Wow, ok, this is a little convoluted.  These actually are not the same
> thing.
>
> The old fix is here (so this would be CVE-2012-2669):
>
> https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=blobdiff;f=tools/hv/hv_kvp_daemon.c;h=d9834b36294373f88d29731350ccc9d384b41788;hp=146fd6147e84be5cde2a66009f331f1b6ee2b805;hb=bcc2c9c3fff859e0eb019fe6fec26f9b8eba795c;hpb=cfaf025112d3856637ff34a767ef785ef5cf2ca9
>
> This, however, while detecting the spoofed netlink packet would still
> cause the daemon to exit.  I'm not sure whether or not it actually fixed
> anything.
>
> This fix:
>
> https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=blobdiff;f=tools/hv/hv_kvp_daemon.c;h=c1d910243d49abe6012595d50227648873994ed8;hp=13c2a142331defeb539e40b9fe4d942f66c3aa4a;hb=95a69adab9acfc3981c504737a2b6578e4d846ef;hpb=aeba4a06f28fad11b1e61d150bd3cde3008b80c8
>
> fixes the previous commit so that now the daemon no longer exits on
> these bad packets.  This would be CVE-2012-5532.
>
> So CVE-2012-2669 is for "failing to check origin of netlink messages"
> and CVE-2012-5532 is for the "exiting upon receipt of spoofed netlink
> messages" (or something to that effect anyways).
>
> My apologies for the noise.
>
> -- 
> Vincent Danen / Red Hat Security Response Team 

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.de - SuSE Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.