Bug 702303 (CVE-2011-1767, CVE-2011-1768)

Summary: CVE-2011-1767 CVE-2011-1768 kernel: netns vs proto registration ordering
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: arozansk, bhu, davej, fhrbata, jkacur, kernel-mgr, kmcmartin, lgoncalv, lwang, rt-maint, sforsber, tcallawa, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-11 02:11:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 702305, 702306, 702307    
Bug Blocks:    

Description Petr Matousek 2011-05-05 10:22:20 UTC 
Description:
1) CVE-2011-1767
gre: fix netns vs proto registration ordering

GRE protocol receive hook can be called right after protocol addition is done.
If netns stuff is not yet initialized, we're going to oops in
net_generic().

This is remotely oopsable if ip_gre is compiled as module and packet
comes at unfortunate moment of module loading.

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c2892f02

References:
http://www.openwall.com/lists/oss-security/2010/02/18/3
http://patchwork.ozlabs.org/patch/45553/

2) CVE-2011-1768
tunnels: fix netns vs proto registration ordering

Same stuff as in ip_gre patch: receive hook can be called before netns
setup is done, oopsing in net_generic().

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d5aa407f

References:
http://www.openwall.com/lists/oss-security/2010/02/18/3
http://patchwork.ozlabs.org/patch/45554/
Comment 3 Eugene Teo (Security Response) 2011-05-06 01:06:47 UTC 
Statement:

The Linux kernel as shipped with Red Hat Enterprise Linux 4, and 5 did not provide support for Network Namespace, and therefore are not affected by this issue. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0928.html, and https://rhn.redhat.com/errata/RHSA-2011-1253.html.
Comment 4 Eugene Teo (Security Response) 2011-05-06 01:07:58 UTC 
Note that for this issue to occur, packets have to come when the module is loading, the window for this to happen is small.
Comment 7 errata-xmlrpc 2011-07-12 21:12:00 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0928 https://rhn.redhat.com/errata/RHSA-2011-0928.html
Comment 8 Eugene Teo (Security Response) 2011-08-29 04:38:46 UTC 
> 2) CVE-2011-1768
> tunnels: fix netns vs proto registration ordering
> 
> Same stuff as in ip_gre patch: receive hook can be called before netns
> setup is done, oopsing in net_generic().

A regression was found that can result in a NULL pointer dereference when the ip6_tunnel module is loaded, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633738.

Filed bugs:
Bug 733985 - kernel: regression in CVE-2011-1768 fix [rhel-6.2]
Bug 733986 - kernel: regression in CVE-2011-1768 fix [mrg-2.0]
Comment 9 errata-xmlrpc 2011-09-12 19:45:22 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html