Bug 189346 - CVE-2006-1525 ip_route_input() panic
CVE-2006-1525 ip_route_input() panic
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Thomas Graf
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-04-19 08:37 EDT by Marcel Holtmann
Modified: 2014-06-18 04:29 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHSA-2006-0493
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-24 05:30:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed patch (1.11 KB, patch)
2006-04-25 07:02 EDT, Thomas Graf
no flags Details | Diff

  None (edit)
Description Marcel Holtmann 2006-04-19 08:37:35 EDT
The following command from user (even non-root) shell:

user-shell$ ip ro get iif eth0

leads to kernel panic:
Unable to handle kernel NULL pointer dereference at virtual address 00000009
 printing eip:
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: autofs4 nfs lockd nfs_acl sunrpc dm_mod e100 mii e1000 ipv6
genrtc ext2 mbcache ide_disk generic piix ide_core evdev mousedev
CPU:    0
EIP:    0060:[<c023c1c3>]    Not tainted VLI
EFLAGS: 00010286   ( #1)
EIP is at ip_route_input+0xca/0x17e
eax: 00000000   ebx: c16a4600   ecx: 00000000   edx: de175180
esi: 010000e0   edi: 00000000   ebp: df4ba000   esp: dda01b64
ds: 007b   es: 007b   ss: 0068
Process ip (pid: 1531, threadinfo=dda00000 task=dff47560)
Stack: <0>00000000 de175180 de175180 ffffffed 00000000 c1581e00 c023d5dc de175180
       010000e0 00000000 00000000 df4ba000 dfe593d0 00000000 00000000 00000003
       010000e0 00000000 00000009 00000000 00000c14 c02e95cd df147800 c022b325
Call Trace:
 [<c023d5dc>] inet_rtm_getroute+0xf6/0x236
 [<c022b325>] rtnetlink_fill_ifinfo+0x3bc/0x50a
 [<c022b37c>] rtnetlink_fill_ifinfo+0x413/0x50a
 [<c022b4b3>] rtnetlink_dump_ifinfo+0x40/0x65
 [<c022ba74>] rtnetlink_rcv_msg+0x1c4/0x1e7
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c02372f3>] netlink_rcv_skb+0x3a/0x8f
 [<c023738a>] netlink_run_queue+0x42/0xc4
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c022b85e>] rtnetlink_rcv+0x22/0x40
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c0236d0a>] netlink_data_ready+0x17/0x54
 [<c0236145>] netlink_sendskb+0x1f/0x39
 [<c0236b0c>] netlink_sendmsg+0x281/0x292
 [<c021b241>] sock_sendmsg+0xe6/0x104
 [<c021b38e>] sock_recvmsg+0xf3/0x111
 [<c021b241>] sock_sendmsg+0xe6/0x104
 [<c0129df6>] autoremove_wake_function+0x0/0x3a
 [<c01b4b49>] copy_from_user+0x3a/0x5d
 [<c0220e81>] verify_iovec+0x49/0x7f
 [<c021c8a7>] sys_sendmsg+0x158/0x1ae
 [<c013a88b>] get_page_from_freelist+0x70/0x88
 [<c013a8e9>] __alloc_pages+0x46/0x263
 [<c01422a4>] do_anonymous_page+0xc5/0x148
 [<c0111b34>] do_page_fault+0x18a/0x4e0
 [<c01b4b49>] copy_from_user+0x3a/0x5d
 [<c021cc25>] sys_socketcall+0x167/0x180
 [<c01119aa>] do_page_fault+0x0/0x4e0
 [<c01026af>] sysenter_past_esp+0x54/0x75
Code: e0 34 c0 ff 40 38 8b 09 85 c9 75 a0 89 f0 25 f0 00 00 00 3d e0 00 00 00 75
66 8b 9d a8 00 00 00 85 db 74 55 8b 54 24 04 8b 42 20 <0f> b6 40 09 50 57 56 53
e8 bd 71 02 00 83 c4 10 89 c2 85 c0 75
 <0>Kernel panic - not syncing: Fatal exception in interrupt

backtrace is slightly different for different kernel versions/hardware type. The
trace above is for
Comment 1 Thomas Graf 2006-04-25 07:02:45 EDT
Created attachment 128192 [details]
proposed patch
Comment 2 Jason Baron 2006-05-09 14:10:16 EDT
committed in stream U4 build 34.25. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 6 Red Hat Bugzilla 2006-05-24 05:30:01 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.