Bug 555217 (CVE-2010-0006)
Summary: | CVE-2010-0006 kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | cebbert, davej, davem, jkacur, kmcmartin, maurizio, mmilgram, rcvalle |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-12-21 17:05:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Eugene Teo (Security Response)
2010-01-14 01:57:53 UTC
This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not have support for network namespaces, and did not include upstream commit 483a47d2 that introduced the problem. The kernel versions tested are: 1) Red Hat Enterprise Linux 3, 2.4.21-63.EL (not affected) 2) Red Hat Enterprise Linux 4, 2.6.9-89.0.19.EL (not affected) 3) Red Hat Enterprise Linux 5, 2.6.18-164.11.1.el5 (not affected) 4) Red Hat Enterprise MRG, 2.6.24.7-139.el5rt (not affected) Kernel updates for Fedora will be available soon. Will be in the next stable push for F-12 via the stable 2.6.31.11 tree. kernel-2.6.31.12-174.2.3.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/kernel-2.6.31.12-174.2.3.fc12 kernel-2.6.31.12-174.2.3.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. kernel-2.6.30.10-105.2.4.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.30.10-105.2.4.fc11 kernel-2.6.30.10-105.2.4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. I hit this issue on kernel-2.6.18-164.el5 (x86_64). This was on dell-pe2950-01.rhts.eng.bos.redhat.com running the stock kernel. The machine had been idle since booting. I got a crash dump. Here are the panic strings: eth0: no IPv6 routers present Unable to handle kernel NULL pointer dereference at 00000000000000d0 RIP: [<ffffffff883addc7>] :ipv6:ipv6_hop_jumbo+0x7d/0x1e8 PGD 70898067 PUD 70899067 PMD 0 Oops: 0000 [1] SMP last sysfs file: /devices/pci0000:00/0000:00:1c.0/0000:04:00.0/0000:05:00.0/irq CPU 0 Modules linked in: autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc ipv6 xfrm_nalgo crypto_api dm_multipath scsi_dh video hwmon backlight sbs i2c_ec i2c_core button battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev sr_mod pcspkr bnx2 sg floppy i5000_edac edac_mc serio_raw ide_cd cdrom dm_raid45 dm_message dm_region_hash dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod usb_storage ata_piix libata shpchp megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd Pid: 0, comm: swapper Not tainted 2.6.18-164.el5 #1 RIP: 0010:[<ffffffff883addc7>] [<ffffffff883addc7>] :ipv6:ipv6_hop_jumbo+0x7d/0x1e8 RSP: 0018:ffffffff8043bc20 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff81006d17ca80 RCX: 0000000000000000 RDX: 000000000000002a RSI: 000000000000002a RDI: ffff81007ea89024 RBP: ffff81006d17ca80 R08: ffff8100794b7a50 R09: 0000000000000000 R10: ffff81006d17ca80 R11: 00000000000000c8 R12: 000000000000002a R13: 000000000000002a R14: 0000000000000006 R15: 0000000000000006 FS: 0000000000000000(0000) GS:ffffffff803c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 00000000000000d0 CR3: 00000000715e7000 CR4: 00000000000006e0 Process swapper (pid: 0, threadinfo ffffffff803f0000, task ffffffff802ffae0) Stack: ffffffff883e6e30 ffffffff883ada87 ffffffff883e6e20 ffff81006d17ca80 ffff81006d17cad8 ffff81007e0d6000 0000000000000001 ffff81007892dac0 ffff81007892c000 ffffffff883ae38f 000000000000003e ffffffff804eca60 Call Trace: <IRQ> [<ffffffff883ada87>] :ipv6:ip6_parse_tlv+0x9d/0x117 [<ffffffff883ae38f>] :ipv6:ipv6_parse_hopopts+0x8c/0xbd [<ffffffff8838f4a3>] :ipv6:ipv6_rcv+0x2a3/0x3f8 [<ffffffff80020807>] netif_receive_skb+0x3c9/0x3f5 [<ffffffff8824d81f>] :bnx2:bnx2_poll_work+0x10ee/0x1227 [<ffffffff8008b876>] __activate_task+0x56/0x6d [<ffffffff8014a179>] cfq_dispatch_requests+0xed/0x526 [<ffffffff8008a079>] sys32_ipc+0x79/0xf0 [<ffffffff80096383>] current_tick_length+0x5/0x26 [<ffffffff80096d98>] do_timer+0x2df/0x52c [<ffffffff8824dd0e>] :bnx2:bnx2_poll+0xdf/0x209 [<ffffffff8000c845>] net_rx_action+0xac/0x1e0 [<ffffffff8001235a>] __do_softirq+0x89/0x133 [<ffffffff8005e2fc>] call_softirq+0x1c/0x28 [<ffffffff8006cb14>] do_softirq+0x2c/0x85 [<ffffffff8006c99c>] do_IRQ+0xec/0xf5 [<ffffffff800571be>] mwait_idle+0x0/0x4a [<ffffffff8005d615>] ret_from_intr+0x0/0xa <EOI> [<ffffffff800571f4>] mwait_idle+0x36/0x4a [<ffffffff8004939e>] cpu_idle+0x95/0xb8 [<ffffffff803fb7fd>] start_kernel+0x220/0x225 [<ffffffff803fb22f>] _sinittext+0x22f/0x236 Code: 48 8b 80 d0 00 00 00 48 85 c0 74 1d 48 8b 80 a0 01 00 00 48 RIP [<ffffffff883addc7>] :ipv6:ipv6_hop_jumbo+0x7d/0x1e8 RSP <ffffffff8043bc20> crash> dis -l ipv6_hop_jumbo+0x7d include/net/ip6_fib.h: 94 0xffffffff883addc7 <ipv6_hop_jumbo+125>: mov 0xd0(%rax),%rax Let me know in the next few days if any additional information would be useful. Patch available on the latest RHEL6 git tree. (In reply to comment #8) > I hit this issue on kernel-2.6.18-164.el5 (x86_64). > > This was on dell-pe2950-01.rhts.eng.bos.redhat.com running the stock kernel. > The machine had been idle since booting. We don't need any additional information. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2010:0019. https://rhn.redhat.com/errata/RHSA-2010-0019.html. Thanks, Eugene git describe --contains 2570a4f5428bcdb1077622342181755741e7fa60 v2.6.33-rc6~29^2~37 fixes this |