Bug 177916 - CVE-2006-0035 kernel issues (CVE-2006-0036 CVE-2006-0037 CVE-2006-0095)
Summary: CVE-2006-0035 kernel issues (CVE-2006-0036 CVE-2006-0037 CVE-2006-0095)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Dave Jones
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-01-16 13:07 UTC by Mark J. Cox
Modified: 2015-01-04 22:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-01-19 06:08:45 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Mark J. Cox 2006-01-16 13:07:55 UTC 
These issues look still present as of FC5test2

CVE-2006-0095 dm-crypt key leak
        dm-crypt in Linux kernel 2.6.15 and earlier does not clear a
        structure before it is freed, which leads to a memory
        disclosure that could allow local users to obtain sensitive
        information about a cryptographic key.
        http://marc.theaimsgroup.com/?l=linux-kernel&m=113640535312572
        http://marc.theaimsgroup.com/?l=linux-kernel&m=113641114812886

CVE-2006-0037 Netfilter local crash
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=03b9feca89366952ae5dfe4ad8107b1ece50b710

CVE-2006-0036 Netfilter remote crash
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=15db34702cfafd24acc60295cf14861e497502ab

CVE-2006-0035 netlink DoS
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ad8e4b75c8a7bed475d72ce09bf5267188621961
Comment 1 Dave Jones 2006-01-17 06:44:05 UTC 
If its in Linus' tree, it's in rawhide.

marc.theaimsgroup seems to be down right now, so I can't check the first one.
Comment 2 Dave Jones 2006-01-19 06:08:45 UTC 
still can't get to that url, but Jan 6th, this got merged..

Subject: [PATCH] dm-crypt: zero key before freeing it

which sounds like the same problem, so I'm closing this, as Linus tree has all
these, and rawhide is based on -git of the day right now.
Comment 3 Mark J. Cox 2006-01-19 08:39:14 UTC 
both the marc urls work for me, this is the plaintext paste from that URL

dm-crypt should clear struct crypt_config before freeing it to
avoid information leak f.e. to a swsusp image.

Signed-off-by: Stefan Rompf <stefan>
Acked-by: Clemens Fruhwirth <clemens>

--- linux-2.6.15/drivers/md/dm-crypt.c.orig	2006-01-04 01:01:16.000000000 +0100
+++ linux-2.6.15/drivers/md/dm-crypt.c	2006-01-04 22:35:13.000000000 +0100
@@ -690,6 +690,8 @@
 bad2:
 	crypto_free_tfm(tfm);
 bad1:
+	/* Zero key material before free to avoid information leak */
+	memset(cc, 0, sizeof(*cc) + cc->key_size * sizeof(u8));
 	kfree(cc);
 	return -EINVAL;
 }
@@ -706,6 +708,9 @@
 		cc->iv_gen_ops->dtr(cc);
 	crypto_free_tfm(cc->tfm);
 	dm_put_device(ti, cc->dev);
+
+	/* Zero key material before free to avoid information leak */
+	memset(cc, 0, sizeof(*cc) + cc->key_size * sizeof(u8));
 	kfree(cc);
 }
 
This matches your comment #2 and therefore it is fixed upstream.
Comment 4 Mark J. Cox 2006-02-20 12:41:18 UTC 
all confirmed fixed test3
Note You need to log in before you can comment on or make changes to this bug.