netfilter's do_replace() can overflow on addition within SMP_ALIGN() and/or on multiplication by NR_CPUS, resulting in a buffer overflow on the copy_from_user(). In practice, the overflow on addition is triggerable on all systems, whereas the multiplication one might require much physical memory to be present due to the check above. Either is sufficient to overwrite arbitrary amounts of kernel memory. Found by Solar Designer during security audit of OpenVZ.org On http://www.securityfocus.com/bid/17178/info this is marked as a remote buffer overflow. This is wrong. You need CAP_NET_ADMIN rights and Solar Designer writes: The SecurityFocus vuldb entry is wrong. The vulnerability is not remotely exploitable. It is local only and the bug is only security relevant on systems which use certain virtualization solutions such as OpenVZ (with certain settings allowing VPS root to configure iptables) and presumably linux-vserver (although I did not check the latter). It is not security relevant on stock kernels or on most of the distribution vendors' kernels. This bug has been fixed in the 2.6.16 mainline kernel (actually 2.6.16-rc3 to be more precise): http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee4bb818ae35f68d1f848eae0a7b150a38eb4168
committed in stream U4 build 34.14. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
This issue is on Red Hat Engineering's list of planned work items for the upcoming Red Hat Enterprise Linux 4.4 release. Engineering resources have been assigned and barring unforeseen circumstances, Red Hat intends to include this item in the 4.4 release.
Fix is in -42, setting to verified.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0575.html