Bug 555217 (CVE-2010-0006)

Summary: CVE-2010-0006 kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo()
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cebbert, davej, davem, jkacur, kmcmartin, maurizio, mmilgram, rcvalle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 17:05:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eugene Teo (Security Response) 2010-01-14 01:57:53 UTC 
Description of problem:
http://marc.info/?l=linux-netdev&m=126343325807340&w=2

This fixes CERT-FI FICORA #341748

Discovered by Olli Jarva and Tuomo Untinen from the CROSS project at Codenomicon Ltd.

Just like in CVE-2007-4567, we can't rely upon skb_dst() being non-NULL at this point.  We fixed that in commit e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on skb->dst before it is assigned.")

However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added net argument to IP6_INC_STATS_BH") put a new version of the same bug into this function.

Complicating analysis further, this bug can only trigger when network namespaces are enabled in the build.  When namespaces are turned off, the dev_net() does not evaluate it's argument, so the dereference would not occur.

So, for a long time, namespaces couldn't be turned on unless SYSFS was disabled.  Therefore, this code has largely been disabled except by people turning it on explicitly for namespace development.

With help from Eugene Teo <eugene>

Signed-off-by: David S. Miller <davem>
CC: stable <stable>
---
 net/ipv6/exthdrs.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index df159ff..4bac362 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -559,6 +559,11 @@ static inline struct inet6_dev *ipv6_skb_idev(struct sk_buff *skb)
 	return skb_dst(skb) ? ip6_dst_idev(skb_dst(skb)) : __in6_dev_get(skb->dev);
 }
 
+static inline struct net *ipv6_skb_net(struct sk_buff *skb)
+{
+	return skb_dst(skb) ? dev_net(skb_dst(skb)->dev) : dev_net(skb->dev);
+}
+
 /* Router Alert as of RFC 2711 */
 
 static int ipv6_hop_ra(struct sk_buff *skb, int optoff)
@@ -580,8 +585,8 @@ static int ipv6_hop_ra(struct sk_buff *skb, int optoff)
 static int ipv6_hop_jumbo(struct sk_buff *skb, int optoff)
 {
 	const unsigned char *nh = skb_network_header(skb);
+	struct net *net = ipv6_skb_net(skb);
 	u32 pkt_len;
-	struct net *net = dev_net(skb_dst(skb)->dev);
 
 	if (nh[optoff + 1] != 4 || (optoff & 3) != 2) {
 		LIMIT_NETDEBUG(KERN_DEBUG "ipv6_hop_jumbo: wrong jumbo opt length/alignment %d\n",
-- 1.6.5
Comment 1 Eugene Teo (Security Response) 2010-01-14 02:07:25 UTC 
This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not have support for network namespaces, and did not include upstream commit 483a47d2 that introduced the problem.

The kernel versions tested are:
1) Red Hat Enterprise Linux 3, 2.4.21-63.EL (not affected)
2) Red Hat Enterprise Linux 4, 2.6.9-89.0.19.EL (not affected)
3) Red Hat Enterprise Linux 5, 2.6.18-164.11.1.el5 (not affected)
4) Red Hat Enterprise MRG, 2.6.24.7-139.el5rt (not affected)

Kernel updates for Fedora will be available soon.
Comment 3 Kyle McMartin 2010-01-16 21:22:39 UTC 
Will be in the next stable push for F-12 via the stable 2.6.31.11 tree.
Comment 4 Fedora Update System 2010-01-19 17:17:52 UTC 
kernel-2.6.31.12-174.2.3.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/kernel-2.6.31.12-174.2.3.fc12
Comment 5 Fedora Update System 2010-01-21 00:06:40 UTC 
kernel-2.6.31.12-174.2.3.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2010-01-22 11:40:24 UTC 
kernel-2.6.30.10-105.2.4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.30.10-105.2.4.fc11
Comment 7 Fedora Update System 2010-01-22 22:36:18 UTC 
kernel-2.6.30.10-105.2.4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Marc Milgram 2010-01-26 15:27:07 UTC 
I hit this issue on kernel-2.6.18-164.el5 (x86_64).

This was on dell-pe2950-01.rhts.eng.bos.redhat.com running the stock kernel.  The machine had been idle since booting.

I got a crash dump.

Here are the panic strings:

eth0: no IPv6 routers present
Unable to handle kernel NULL pointer dereference at 00000000000000d0 RIP: 
 [<ffffffff883addc7>] :ipv6:ipv6_hop_jumbo+0x7d/0x1e8
PGD 70898067 PUD 70899067 PMD 0 
Oops: 0000 [1] SMP 
last sysfs file: /devices/pci0000:00/0000:00:1c.0/0000:04:00.0/0000:05:00.0/irq
CPU 0 
Modules linked in: autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc ipv6 xfrm_nalgo crypto_api dm_multipath scsi_dh video hwmon backlight sbs i2c_ec i2c_core button battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev sr_mod pcspkr bnx2 sg floppy i5000_edac edac_mc serio_raw ide_cd cdrom dm_raid45 dm_message dm_region_hash dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod usb_storage ata_piix libata shpchp megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 0, comm: swapper Not tainted 2.6.18-164.el5 #1
RIP: 0010:[<ffffffff883addc7>]  [<ffffffff883addc7>] :ipv6:ipv6_hop_jumbo+0x7d/0x1e8
RSP: 0018:ffffffff8043bc20  EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff81006d17ca80 RCX: 0000000000000000
RDX: 000000000000002a RSI: 000000000000002a RDI: ffff81007ea89024
RBP: ffff81006d17ca80 R08: ffff8100794b7a50 R09: 0000000000000000
R10: ffff81006d17ca80 R11: 00000000000000c8 R12: 000000000000002a
R13: 000000000000002a R14: 0000000000000006 R15: 0000000000000006
FS:  0000000000000000(0000) GS:ffffffff803c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 00000000000000d0 CR3: 00000000715e7000 CR4: 00000000000006e0
Process swapper (pid: 0, threadinfo ffffffff803f0000, task ffffffff802ffae0)
Stack:  ffffffff883e6e30 ffffffff883ada87 ffffffff883e6e20 ffff81006d17ca80
 ffff81006d17cad8 ffff81007e0d6000 0000000000000001 ffff81007892dac0
 ffff81007892c000 ffffffff883ae38f 000000000000003e ffffffff804eca60
Call Trace:
 <IRQ>  [<ffffffff883ada87>] :ipv6:ip6_parse_tlv+0x9d/0x117
 [<ffffffff883ae38f>] :ipv6:ipv6_parse_hopopts+0x8c/0xbd
 [<ffffffff8838f4a3>] :ipv6:ipv6_rcv+0x2a3/0x3f8
 [<ffffffff80020807>] netif_receive_skb+0x3c9/0x3f5
 [<ffffffff8824d81f>] :bnx2:bnx2_poll_work+0x10ee/0x1227
 [<ffffffff8008b876>] __activate_task+0x56/0x6d
 [<ffffffff8014a179>] cfq_dispatch_requests+0xed/0x526
 [<ffffffff8008a079>] sys32_ipc+0x79/0xf0
 [<ffffffff80096383>] current_tick_length+0x5/0x26
 [<ffffffff80096d98>] do_timer+0x2df/0x52c
 [<ffffffff8824dd0e>] :bnx2:bnx2_poll+0xdf/0x209
 [<ffffffff8000c845>] net_rx_action+0xac/0x1e0
 [<ffffffff8001235a>] __do_softirq+0x89/0x133
 [<ffffffff8005e2fc>] call_softirq+0x1c/0x28
 [<ffffffff8006cb14>] do_softirq+0x2c/0x85
 [<ffffffff8006c99c>] do_IRQ+0xec/0xf5
 [<ffffffff800571be>] mwait_idle+0x0/0x4a
 [<ffffffff8005d615>] ret_from_intr+0x0/0xa
 <EOI>  [<ffffffff800571f4>] mwait_idle+0x36/0x4a
 [<ffffffff8004939e>] cpu_idle+0x95/0xb8
 [<ffffffff803fb7fd>] start_kernel+0x220/0x225
 [<ffffffff803fb22f>] _sinittext+0x22f/0x236


Code: 48 8b 80 d0 00 00 00 48 85 c0 74 1d 48 8b 80 a0 01 00 00 48 
RIP  [<ffffffff883addc7>] :ipv6:ipv6_hop_jumbo+0x7d/0x1e8
 RSP <ffffffff8043bc20>
crash> dis -l ipv6_hop_jumbo+0x7d
include/net/ip6_fib.h: 94
0xffffffff883addc7 <ipv6_hop_jumbo+125>:        mov    0xd0(%rax),%rax

Let me know in the next few days if any additional information would be useful.
Comment 9 Aristeu Rozanski 2010-01-26 17:25:30 UTC 
Patch available on the latest RHEL6 git tree.
Comment 10 Eugene Teo (Security Response) 2010-01-27 00:37:12 UTC 
(In reply to comment #8)
> I hit this issue on kernel-2.6.18-164.el5 (x86_64).
> 
> This was on dell-pe2950-01.rhts.eng.bos.redhat.com running the stock kernel. 
> The machine had been idle since booting.

We don't need any additional information. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2010:0019. https://rhn.redhat.com/errata/RHSA-2010-0019.html.

Thanks, Eugene
Comment 11 John Kacur 2010-04-08 15:27:22 UTC 
git describe --contains 2570a4f5428bcdb1077622342181755741e7fa60
v2.6.33-rc6~29^2~37
fixes this