Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 4 product line. The current stable release is 4.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 189346

Summary: CVE-2006-1525 ip_route_input() panic
Product: Red Hat Enterprise Linux 4 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Thomas Graf <tgraf>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: jbaron, rkhan, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=kernelbugzilla,reported=20060414,public=20060414
Fixed In Version: RHSA-2006-0493 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-24 09:30:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed patch none

Description Marcel Holtmann 2006-04-19 12:37:35 UTC 
The following command from user (even non-root) shell:

user-shell$ ip ro get 224.0.0.1 iif eth0

leads to kernel panic:
Unable to handle kernel NULL pointer dereference at virtual address 00000009
 printing eip:
c023c1c3
*pde = 00000000
Oops: 0000 [#1]
SMP
Modules linked in: autofs4 nfs lockd nfs_acl sunrpc dm_mod e100 mii e1000 ipv6
genrtc ext2 mbcache ide_disk generic piix ide_core evdev mousedev
CPU:    0
EIP:    0060:[<c023c1c3>]    Not tainted VLI
EFLAGS: 00010286   (2.6.16.4-1ol1 #1)
EIP is at ip_route_input+0xca/0x17e
eax: 00000000   ebx: c16a4600   ecx: 00000000   edx: de175180
esi: 010000e0   edi: 00000000   ebp: df4ba000   esp: dda01b64
ds: 007b   es: 007b   ss: 0068
Process ip (pid: 1531, threadinfo=dda00000 task=dff47560)
Stack: <0>00000000 de175180 de175180 ffffffed 00000000 c1581e00 c023d5dc de175180
       010000e0 00000000 00000000 df4ba000 dfe593d0 00000000 00000000 00000003
       010000e0 00000000 00000009 00000000 00000c14 c02e95cd df147800 c022b325
Call Trace:
 [<c023d5dc>] inet_rtm_getroute+0xf6/0x236
 [<c022b325>] rtnetlink_fill_ifinfo+0x3bc/0x50a
 [<c022b37c>] rtnetlink_fill_ifinfo+0x413/0x50a
 [<c022b4b3>] rtnetlink_dump_ifinfo+0x40/0x65
 [<c022ba74>] rtnetlink_rcv_msg+0x1c4/0x1e7
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c02372f3>] netlink_rcv_skb+0x3a/0x8f
 [<c023738a>] netlink_run_queue+0x42/0xc4
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c022b85e>] rtnetlink_rcv+0x22/0x40
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c0236d0a>] netlink_data_ready+0x17/0x54
 [<c0236145>] netlink_sendskb+0x1f/0x39
 [<c0236b0c>] netlink_sendmsg+0x281/0x292
 [<c021b241>] sock_sendmsg+0xe6/0x104
 [<c021b38e>] sock_recvmsg+0xf3/0x111
 [<c021b241>] sock_sendmsg+0xe6/0x104
 [<c0129df6>] autoremove_wake_function+0x0/0x3a
 [<c01b4b49>] copy_from_user+0x3a/0x5d
 [<c0220e81>] verify_iovec+0x49/0x7f
 [<c021c8a7>] sys_sendmsg+0x158/0x1ae
 [<c013a88b>] get_page_from_freelist+0x70/0x88
 [<c013a8e9>] __alloc_pages+0x46/0x263
 [<c01422a4>] do_anonymous_page+0xc5/0x148
 [<c0111b34>] do_page_fault+0x18a/0x4e0
 [<c01b4b49>] copy_from_user+0x3a/0x5d
 [<c021cc25>] sys_socketcall+0x167/0x180
 [<c01119aa>] do_page_fault+0x0/0x4e0
 [<c01026af>] sysenter_past_esp+0x54/0x75
Code: e0 34 c0 ff 40 38 8b 09 85 c9 75 a0 89 f0 25 f0 00 00 00 3d e0 00 00 00 75
66 8b 9d a8 00 00 00 85 db 74 55 8b 54 24 04 8b 42 20 <0f> b6 40 09 50 57 56 53
e8 bd 71 02 00 83 c4 10 89 c2 85 c0 75
 <0>Kernel panic - not syncing: Fatal exception in interrupt

backtrace is slightly different for different kernel versions/hardware type. The
trace above is for 2.6.16.4
Comment 1 Thomas Graf 2006-04-25 11:02:45 UTC 
Created attachment 128192 [details]
proposed patch
Comment 2 Jason Baron 2006-05-09 18:10:16 UTC 
committed in stream U4 build 34.25. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 6 Red Hat Bugzilla 2006-05-24 09:30:01 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0493.html