Bug 979936 (CVE-2013-2224)

Summary: CVE-2013-2224 kernel: net: IP_REPOPTS invalid free
Product: [Other] Security Response Reporter: Prasad Pandit <ppandit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, anton, bhu, davej, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, johnny, jonathan, jpirko, jross, jwboyer, kernel-maint, kernel-mgr, khlebnikov, lgoncalv, lwang, madhu.chinakonda, matt, mcressma, ms, npajkovs, plougher, pmatouse, rt-maint, rvrbovsk, steve, tommi.tervo, toracat, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-22 15:31:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 979788, 980141, 980142, 980144, 998389    
Bug Blocks: 979907    
Attachments:
Description Flags
Proposed patch
none
RHEL-fix-freeing-RCU-protected-IP-options none

Description Prasad Pandit 2013-07-01 07:54:14 UTC 
Linux kernel is found to be vulnerable to a denial of service and/or possible
code execution flaw caused by invalid free  while sending message with
sendmsg(2) call with IP_RETOPTS socket option set. This option is set to pass
unprocessed IP options along with timestamps to a user via IP_OPTIONS control
message.

An unprivileged user/program could use this flaw to crash the system resulting
in DoS or possibly gain root privileges via arbitrary code execution.

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2013/06/30/1

This issue was introduced via Red Hat Enterprise Linux specific patch for CVE-2012-3552.
Comment 1 Prasad Pandit 2013-07-01 07:57:35 UTC 
Statement:

This issue did not affect the version of the kernel package as shipped with Red Hat Enterprise MRG 2.

This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Future kernel updates for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 may address this issue.
Comment 2 Petr Matousek 2013-07-01 10:30:35 UTC 
Created attachment 767318 [details]
Proposed patch

Looks to me like rhel only bug introduced by fixes for CVE-2012-3552 -- we are kfree()ing kzalloc_ip_options() alloced opts.

I'm brewing rhel-6 kernel with attached patch to test that.

Jiri, could you please have a quick look at the issue?
Comment 3 Kontantin Khlebnikov 2013-07-01 11:58:18 UTC 
Created attachment 767364 [details]
RHEL-fix-freeing-RCU-protected-IP-options

Bug was introduced in backport of mainline commit:
f6d8bd051c391c1c0458a30b2a7abcd939329259 (inet: add RCU protection to inet->opt)
    
This patch calls right freeing method from all ip_cmsg_send() callers.
Struct ip_options is embedded into struct ip_options_rcu, so kfree should be
called for right offset, otherwise it will poison slab with misaligned objects.
These misaligned objects may intersect and corrupt each other.
Comment 4 Petr Matousek 2013-07-01 12:02:28 UTC 
Hi Konstantin,

(In reply to Kontantin Khlebnikov from comment #3)
> Created attachment 767364 [details]
> RHEL-fix-freeing-RCU-protected-IP-options
> 
> Bug was introduced in backport of mainline commit:
> f6d8bd051c391c1c0458a30b2a7abcd939329259 (inet: add RCU protection to
> inet->opt)

thank you for your submission. I am currently building kernel with patch from comment #2 (the same as yours) and will report back with the testing results.

Thanks,
--
Petr Matousek / Red Hat Security Response Team
Comment 5 Jiri Pirko 2013-07-01 12:09:46 UTC 
Patch from comment #2 looks good to me.
Comment 6 Petr Matousek 2013-07-01 14:08:00 UTC 
(In reply to Petr Matousek from comment #4)
...
> thank you for your submission. I am currently building kernel with patch
> from comment #2 (the same as yours) and will report back with the testing

The proposed patch indeed fixes the issue in question.
Comment 9 Steven Ciaburri 2013-07-01 16:25:53 UTC 
The patch appears to work good on our end too!
Comment 10 Johnny Hughes 2013-07-02 22:04:28 UTC 
CentOS has produced the following kernel that addresses this issue as an interim (use at your own risk) kernel for EL6:

http://people.centos.org/hughesjr/c6kernel/2.6.32-358.11.1.el6.cve20132224/

It applies the patch in comment #3 above to the current CentOS kernel.
Comment 11 Johnny Hughes 2013-07-17 06:08:14 UTC 
CentOS has produced another kernel that addresses this issue with the newer 2.6.32-358.14.1.el6 kernel:  

http://people.centos.org/hughesjr/c6kernel/2.6.32-358.14.1.el6.cve20132224/

It also is just the standard kernel and the one patch in comment #3
Comment 13 errata-xmlrpc 2013-08-20 18:59:49 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1166 https://rhn.redhat.com/errata/RHSA-2013-1166.html
Comment 14 errata-xmlrpc 2013-08-27 19:30:11 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1173 https://rhn.redhat.com/errata/RHSA-2013-1173.html
Comment 15 errata-xmlrpc 2013-09-03 20:30:54 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1195 https://rhn.redhat.com/errata/RHSA-2013-1195.html
Comment 16 errata-xmlrpc 2013-10-22 17:03:17 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only

Via RHSA-2013:1450 https://rhn.redhat.com/errata/RHSA-2013-1450.html