Bug 206270
| Summary: | CVE-2006-4997 IP over ATM clip_mkip dereference freed pointer | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 3 | Reporter: | Marcel Holtmann <holtmann> | ||||
| Component: | kernel | Assignee: | Thomas Graf <tgraf> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 3.0 | CC: | lwang, petrides, rkhan, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | impact=moderate,reported=20060912,source=lkml,public=20060912 | ||||||
| Fixed In Version: | RHSA-2006-0710 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-10-19 12:46:07 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 137572 [details]
proposed patch
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. QE ack for U9. A fix for this problem has just been committed to the RHEL3 U9 patch pool this evening (in kernel version 2.4.21-47.2.EL). A fix for this problem has also been committed to the RHEL3 E9 patch pool this evening (in kernel version 2.4.21-47.0.1.EL). An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0710.html |
Reported by ADLab, Venustech info Ltd CHINA: There is a vulnerability in function clip_mkip() in net/atm/clip.c. When re-processing received data, a struct sk_buff pointer skb may be dereferenced after a free operation. It will lead to a kernel panic and denying further service. clip_mkip (clip.c): 502 while ((skb = skb_dequeue(©)) != NULL) 503 if (!clip_devs) { 504 atm_return(vcc,skb->truesize); 505 kfree_skb(skb); 506 } 507 else { 508 unsigned int len = skb->len; 509 510 clip_push(vcc,skb); 511 PRIV(skb->dev)->stats.rx_packets--; 512 PRIV(skb->dev)->stats.rx_bytes -= len; 513 } At line 511, PRIV(skb->dev) reference skb->dev; but after call clip_push at line 510, skb may be freed. clip_push (clip.c): 198 static void clip_push(struct atm_vcc *vcc,struct sk_buff *skb) 199 { ...... 234 memset(ATM_SKB(skb), 0, sizeof(struct atm_skb_data)); 235 netif_rx(skb); 236 } netif_rx (dev.c): 1392 int netif_rx(struct sk_buff *skb) 1393 { ...... 1428 kfree_skb(skb); //drop skb 1429 return NET_RX_DROP; 1430 } In netif_rx(), skb may be dropped during processing for congestion control or by the protocol layers; the return value NET_RX_DROP is used to identify skb pointer arg is dropped(freed).