Bug 189346 - CVE-2006-1525 ip_route_input() panic
CVE-2006-1525 ip_route_input() panic
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Thomas Graf
Brian Brock
impact=important,source=kernelbugzill...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-19 08:37 EDT by Marcel Holtmann
Modified: 2014-06-18 04:29 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHSA-2006-0493
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-24 05:30:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (1.11 KB, patch)
2006-04-25 07:02 EDT, Thomas Graf
no flags Details | Diff

  None (edit)
Description Marcel Holtmann 2006-04-19 08:37:35 EDT
The following command from user (even non-root) shell:

user-shell$ ip ro get 224.0.0.1 iif eth0

leads to kernel panic:
Unable to handle kernel NULL pointer dereference at virtual address 00000009
 printing eip:
c023c1c3
*pde = 00000000
Oops: 0000 [#1]
SMP
Modules linked in: autofs4 nfs lockd nfs_acl sunrpc dm_mod e100 mii e1000 ipv6
genrtc ext2 mbcache ide_disk generic piix ide_core evdev mousedev
CPU:    0
EIP:    0060:[<c023c1c3>]    Not tainted VLI
EFLAGS: 00010286   (2.6.16.4-1ol1 #1)
EIP is at ip_route_input+0xca/0x17e
eax: 00000000   ebx: c16a4600   ecx: 00000000   edx: de175180
esi: 010000e0   edi: 00000000   ebp: df4ba000   esp: dda01b64
ds: 007b   es: 007b   ss: 0068
Process ip (pid: 1531, threadinfo=dda00000 task=dff47560)
Stack: <0>00000000 de175180 de175180 ffffffed 00000000 c1581e00 c023d5dc de175180
       010000e0 00000000 00000000 df4ba000 dfe593d0 00000000 00000000 00000003
       010000e0 00000000 00000009 00000000 00000c14 c02e95cd df147800 c022b325
Call Trace:
 [<c023d5dc>] inet_rtm_getroute+0xf6/0x236
 [<c022b325>] rtnetlink_fill_ifinfo+0x3bc/0x50a
 [<c022b37c>] rtnetlink_fill_ifinfo+0x413/0x50a
 [<c022b4b3>] rtnetlink_dump_ifinfo+0x40/0x65
 [<c022ba74>] rtnetlink_rcv_msg+0x1c4/0x1e7
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c02372f3>] netlink_rcv_skb+0x3a/0x8f
 [<c023738a>] netlink_run_queue+0x42/0xc4
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c022b85e>] rtnetlink_rcv+0x22/0x40
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c0236d0a>] netlink_data_ready+0x17/0x54
 [<c0236145>] netlink_sendskb+0x1f/0x39
 [<c0236b0c>] netlink_sendmsg+0x281/0x292
 [<c021b241>] sock_sendmsg+0xe6/0x104
 [<c021b38e>] sock_recvmsg+0xf3/0x111
 [<c021b241>] sock_sendmsg+0xe6/0x104
 [<c0129df6>] autoremove_wake_function+0x0/0x3a
 [<c01b4b49>] copy_from_user+0x3a/0x5d
 [<c0220e81>] verify_iovec+0x49/0x7f
 [<c021c8a7>] sys_sendmsg+0x158/0x1ae
 [<c013a88b>] get_page_from_freelist+0x70/0x88
 [<c013a8e9>] __alloc_pages+0x46/0x263
 [<c01422a4>] do_anonymous_page+0xc5/0x148
 [<c0111b34>] do_page_fault+0x18a/0x4e0
 [<c01b4b49>] copy_from_user+0x3a/0x5d
 [<c021cc25>] sys_socketcall+0x167/0x180
 [<c01119aa>] do_page_fault+0x0/0x4e0
 [<c01026af>] sysenter_past_esp+0x54/0x75
Code: e0 34 c0 ff 40 38 8b 09 85 c9 75 a0 89 f0 25 f0 00 00 00 3d e0 00 00 00 75
66 8b 9d a8 00 00 00 85 db 74 55 8b 54 24 04 8b 42 20 <0f> b6 40 09 50 57 56 53
e8 bd 71 02 00 83 c4 10 89 c2 85 c0 75
 <0>Kernel panic - not syncing: Fatal exception in interrupt

backtrace is slightly different for different kernel versions/hardware type. The
trace above is for 2.6.16.4
Comment 1 Thomas Graf 2006-04-25 07:02:45 EDT
Created attachment 128192 [details]
proposed patch
Comment 2 Jason Baron 2006-05-09 14:10:16 EDT
committed in stream U4 build 34.25. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 6 Red Hat Bugzilla 2006-05-24 05:30:01 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0493.html

Note You need to log in before you can comment on or make changes to this bug.