Bug 751006 (CVE-2011-4112)

Summary: CVE-2011-4112 kernel: null ptr deref at dev_queue_xmit+0x35/0x4d0
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anton, arozansk, dhoward, fhrbata, kernel-mgr, lwang, pmatouse, security-response-team, sforsber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-24 14:16:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 751372, 755403, 755404, 755410    
Bug Blocks: 750960    

Description Eugene Teo (Security Response) 2011-11-03 08:10:55 UTC
When I am running the bridge over vlan testing,I got a kernel panic at
dev_queue_xmit+0x35/0x4d0,

Version-Release number of selected component (if applicable):
kernel-2.6.32-216

How reproducible:
100%

Actual results:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000006
IP: [<ffffffff814309a5>] dev_queue_xmit+0x35/0x6b0
PGD 0 
Oops: 0000 [#1] SMP 
last sysfs file: /sys/module/pktgen/initstate
CPU 0 
Modules linked in: bonding bridge 8021q garp stp llc pktgen autofs4 sunrpc
pcc_cpufreq ipv6 power_meter be2net ixgbe dca mdio netxen_nic microcode
serio_raw iTCO_wdt iTCO_vendor_support hpilo hpwdt sg i7core_edac edac_core
shpchp ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif lpfc scsi_transport_fc
scsi_tgt pata_acpi ata_generic ata_piix hpsa radeon ttm drm_kms_helper drm
i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded:
bonding]

Pid: 3374, comm: kpktgend_0 Not tainted 2.6.32-214.el6.x86_64 #1
Hewlett-Packard ProLiant DL580 G7
RIP: 0010:[<ffffffff814309a5>]  [<ffffffff814309a5>] dev_queue_xmit+0x35/0x6b0
RSP: 0018:ffff88023ac2bbc0  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8802360cecf8 RCX: 0000000000000003
RDX: 0000000000000000 RSI: ffff880437b2e6e0 RDI: ffff8802360cecf8
RBP: ffff88023ac2bc00 R08: ffffffffa0483520 R09: ffff88023ac2bcb8
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8802397b5020 R14: ffff880437b2e020 R15: ffff8804385fe540
FS:  0000000000000000(0000) GS:ffff88002f600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000006 CR3: 0000000001a85000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process kpktgend_0 (pid: 3374, threadinfo ffff88023ac2a000, task
ffff8802386e8a80)
Stack:
 ffff88023ac2bbd0 ffffffff00000000 ffff88023ac2bc00 ffff8804385fe540
<0> 0000000000000000 ffff8802397f2dc0 ffff880437b2e020 ffff8804385fe540
<0> ffff88023ac2bc20 ffffffffa047ba34 ffff8802360cecf8 0000000000000000
Call Trace:
 [<ffffffffa047ba34>] vlan_dev_hwaccel_hard_start_xmit+0x84/0xb0 [8021q]
 [<ffffffff8142c67f>] dev_hard_start_xmit+0x20f/0x3f0
 [<ffffffff81430ec6>] dev_queue_xmit+0x556/0x6b0
 [<ffffffffa0483598>] br_dev_queue_push_xmit+0x78/0xe0 [bridge]
 [<ffffffffa0483658>] br_forward_finish+0x58/0x60 [bridge]
 [<ffffffffa0483838>] __br_deliver+0xa8/0x110 [bridge]
 [<ffffffffa0483829>] ? __br_deliver+0x99/0x110 [bridge]
 [<ffffffffa04838d5>] br_deliver+0x35/0x40 [bridge]
 [<ffffffffa04825b8>] br_dev_xmit+0xa8/0x120 [bridge]
 [<ffffffffa04aa8f5>] pktgen_thread_worker+0x835/0x1bf0 [pktgen]
 [<ffffffffa0482510>] ? br_dev_xmit+0x0/0x120 [bridge]
 [<ffffffff81090c00>] ? autoremove_wake_function+0x0/0x40
 [<ffffffff81090c00>] ? autoremove_wake_function+0x0/0x40
 [<ffffffffa04aa0c0>] ? pktgen_thread_worker+0x0/0x1bf0 [pktgen]
 [<ffffffff81090896>] kthread+0x96/0xa0
 [<ffffffff8100c14a>] child_rip+0xa/0x20
 [<ffffffff81090800>] ? kthread+0x0/0xa0
 [<ffffffff8100c140>] ? child_rip+0x0/0x20
Code: 5d d8 4c 89 65 e0 4c 89 6d e8 4c 89 75 f0 4c 89 7d f8 0f 1f 44 00 00 8b
87 cc 00 00 00 4c 8b 6f 20 48 03 87 d0 00 00 00 48 89 fb <66> 83 78 06 00 0f 84
58 01 00 00 0f b7 50 0a 41 8b 4d 70 c1 e2 
RIP  [<ffffffff814309a5>] dev_queue_xmit+0x35/0x6b0
 RSP <ffff88023ac2bbc0>
CR2: 0000000000000006


Expected results:
no panic

Additional info:

Upstream commit:
http://git.kernel.org/linus/550fd08c2cebad61c548def135f67aba284c6162
http://git.kernel.org/linus/d8873315065f1f527c7c380402cf59b1e1d0ae36

Comment 5 Petr Matousek 2011-11-24 14:16:48 UTC
The panic is on the sending side with pktgen. /proc/net/pktgen/pgctrl is 600 and also CAP_NET_ADMIN only. This is pktgen specific issue.

Closing as NOTABUG.

Comment 6 Petr Matousek 2011-11-24 14:45:10 UTC
CVE-2011-4112 REJECT request
http://www.openwall.com/lists/oss-security/2011/11/24/3

Comment 7 Petr Matousek 2012-05-22 09:06:52 UTC
Statement:

Red Hat Security Response team does not consider this bug to be security relevant one due to the privileges required to exploit this issue.