Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 4 product line. The current stable release is 4.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 212144

Summary: CVE-2006-6535 unbalanced local_bh_enable() in dev_queue_xmit()
Product: Red Hat Enterprise Linux 4 Reporter: Vasily Averin <vvs>
Component: kernelAssignee: Neil Horman <nhorman>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4CC: khorenko, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,source=bugzilla,reported=20061025,public=20061214
Fixed In Version: RHSA-2007-0014 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-30 14:28:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
this patch fixes unbalanced local_bh_enable() in dev_queue_xmit() none

Description Vasily Averin 2006-10-25 10:53:59 UTC 
Kostantin Khorenko from OpenVZ/Virtuozzo linux kernel team has noticed the
following issue on RHEL4 (2.6.9-42.0.3 and 2.6.9-42.19) kernels.

dev_queue_xmit() have wrong error path: this function can fail before
local_bh_disable() call. In this case it jumps to out_kfree_skb label where it
calls local_bh_enable(). As a result it can lead to the data corruptions and the
node lockups.

This issue was fixed in linux mainstream by the following patches:
http://linux.bkbits.net:8080/linux-2.6/gnupatch@4186e5bfgUOMBbA6xFaY0_z84kaURw
http://linux.bkbits.net:8080/linux-2.6/gnupatch@418941b8x3BdnonauMI-deDf7S3plw

We are not sure that it can be user-exploitable, however from our point of view
it can happen on some hardware and software setups.
Comment 1 Vasily Averin 2006-10-25 10:54:00 UTC 
Created attachment 139333 [details]
this patch fixes unbalanced local_bh_enable() in dev_queue_xmit()
Comment 2 Neil Horman 2006-11-07 21:07:29 UTC 
looks reasonable.  I'll review it further in the AM.  thanks!
Comment 3 Jason Baron 2006-11-21 21:22:19 UTC 
committed in stream U5 build 42.26. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 4 Jason Baron 2006-12-18 21:43:58 UTC 
committed in stream E5 build 42.0.4
Comment 6 Mike Gahagan 2007-01-17 20:48:02 UTC 
I can confirm that the fix is in the 42.0.6 kernel.
Comment 8 Red Hat Bugzilla 2007-01-30 14:28:55 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0014.html