Bug 216452 (CVE-2006-5751)
| Summary: | CVE-2006-5751 Linux kernel get_fdb_entries() integer overflow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marcel Holtmann <holtmann> |
| Component: | vulnerability | Assignee: | Thomas Graf <tgraf> |
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | eteo, jbaron, rkhan, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | RHSA-2007-0014 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-01-30 14:42:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
committed in stream U5 build 42.30. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/ committed in stream E5 build 42.0.4. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/ fix for this is in 42.0.8. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0014.html |
From Eugene Teo: A potential security vulnerability has been found in the Linux kernel in the get_fdb_entries() function code. Successful exploitation may potentially allow execution of arbitrary code with escalated privileges. The vulnerable code resides in net/bridge/br_ioctl.c: 56 static _nt get_fdb_entries(struct net_bridge *br, void __user *userbuf, 57 unsigned long maxnum, unsigned long offset) 58 { 59 int num; 60 void *buf; 61 size_t size = maxnum * sizeof(struct __fdb_entry); 62 63 if (size > PAGE_SIZE) { 64 size = PAGE_SIZE; 65 maxnum = PAGE_SIZE/sizeof(struct __fdb_entry); 66 } 67 68 buf = kmalloc(size, GFP_USER); 69 if (!buf) 70 return -ENOMEM; 71 72 num = br_fdb_fillbuf(br, buf, maxnum, offset); By supplying a sufficiently large value to maxnum, we can control the amount of memory to allocate to buf (i.e. 32 bytes). net/bridge/br_fdb.c: 219 int br_fdb_fillbuf(struct net_bridge *br, void *buf, 220 unsigned long maxnum, unsigned long skip) 221 { 222 struct __fdb_entry *fe = buf; /* ... */ 227 memset(buf, 0, maxnum*sizeof(struct __fdb_entry)); 228 229 rcu_read_lock(); 230 for (i = 0; i < BR_HASH_SIZE; i++) { 231 hlist_for_each_entry_rcu(f, h, &br->hash[i], hlist) { 232 if (num >= maxnum) 233 goto out; 234 235 if (has_expired(br, f)) 236 continue; 237 238 if (skip) { 239 --skip; 240 continue; 241 } 242 243 /* convert from internal format to API */ 244 memcpy(fe->mac_addr, f->addr.addr, ETH_ALEN); 245 fe->port_no = f->dst->port_no; 246 fe->is_local = f->is_local; 247 if (!f->is_static) 248 fe->ageing_timer_value = jiffies_to_clock_t(jiffies - f->ageing_timer); 249 ++fe; 250 ++num; 251 } 252 } because fe = buf, and buf can be allocated with only 32 bytes, if one bridge has more than two interfaces added, memcpy will be able to overwrite other slab objects, which can be exploited to execute arbitrary code.