Bug 191698

Summary: CVE-2006-0039 netfilter do_add_counters race
Product: Red Hat Enterprise Linux 4 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Thomas Graf <tgraf>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: medium    
Version: 4.0CC: jbaron, riel, rkhan, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,source=kernelsec,reported=20060118,embargo=yes,public=20060516
Fixed In Version: RHSA-2006-0689 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-05 19:17:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch from Kirill Korotaev with missing upstream fixes none

Description Marcel Holtmann 2006-05-15 11:22:25 UTC 
Solar Designer found a race condition in do_add_counters(). The beginning of
paddc is supposed to be the same as tmp which was sanity-checked above, but it
might not be the same in reality. In case the integer overflow and/or the race
condition are triggered, paddc->num_counters might not match the allocation size
for paddc. If the check below (t->private->number != paddc->num_counters)
nevertheless passes (perhaps this requires the race condition to be triggered),
IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
potentially leaking sensitive data (e.g., passwords from host system or from
another VPS) via counter increments.
Comment 2 Marcel Holtmann 2006-05-16 09:01:46 UTC 
For IPv4 it has beend fixed upstream with the 32bit netfilters compat patch:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2722971cbe831117686039d5c334f2c0f560be13
Comment 3 Marcel Holtmann 2006-05-16 09:24:01 UTC 
Created attachment 129163 [details]
Patch from Kirill Korotaev with missing upstream fixes
Comment 4 Marcel Holtmann 2006-05-16 09:55:08 UTC 
It is also important to note that CAP_NET_ADMIN is needed to exploit this issue.
Comment 8 Jason Baron 2006-09-26 14:45:20 UTC 
committed in stream E5 build 42.0.3
Comment 9 RHEL Program Management 2006-09-27 22:40:24 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 11 Jason Baron 2006-09-28 15:49:48 UTC 
committed in stream U5 build 42.14. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 12 Jay Turner 2006-10-03 13:40:10 UTC 
QE ack for 4.5.
Comment 14 Red Hat Bugzilla 2006-10-05 19:17:43 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0689.html