Red Hat Bugzilla – Bug 186295
CVE-2006-0038 netfilters do_replace() overflow
Last modified: 2014-06-18 04:28:54 EDT
netfilter's do_replace() can overflow on addition within SMP_ALIGN() and/or on
multiplication by NR_CPUS, resulting in a buffer overflow on the
copy_from_user(). In practice, the overflow on addition is triggerable on all
systems, whereas the multiplication one might require much physical memory to be
present due to the check above. Either is sufficient to overwrite arbitrary
amounts of kernel memory.
Found by Solar Designer during security audit of OpenVZ.org
On http://www.securityfocus.com/bid/17178/info this is marked as a remote buffer
overflow. This is wrong. You need CAP_NET_ADMIN rights and Solar Designer writes:
The SecurityFocus vuldb entry is wrong. The vulnerability is not remotely
exploitable. It is local only and the bug is only security relevant on systems
which use certain virtualization solutions such as OpenVZ (with certain settings
allowing VPS root to configure iptables) and presumably linux-vserver (although
I did not check the latter).
It is not security relevant on stock kernels or on most of the distribution
This bug has been fixed in the 2.6.16 mainline kernel (actually 2.6.16-rc3 to be
committed in stream U4 build 34.14. A test kernel with this patch is available
This issue is on Red Hat Engineering's list of planned work items
for the upcoming Red Hat Enterprise Linux 4.4 release. Engineering
resources have been assigned and barring unforeseen circumstances, Red
Hat intends to include this item in the 4.4 release.
Fix is in -42, setting to verified.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.