Bug 191701 - CVE-2006-0039 netfilter do_add_counters race
CVE-2006-0039 netfilter do_add_counters race
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel (Show other bugs)
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Don Howard
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-05-15 07:25 EDT by Marcel Holtmann
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-05 16:02:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2006-05-15 07:25:31 EDT
Solar Designer found a race condition in do_add_counters(). The beginning of
paddc is supposed to be the same as tmp which was sanity-checked above, but it
might not be the same in reality. In case the integer overflow and/or the race
condition are triggered, paddc->num_counters might not match the allocation size
for paddc. If the check below (t->private->number != paddc->num_counters)
nevertheless passes (perhaps this requires the race condition to be triggered),
IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
potentially leaking sensitive data (e.g., passwords from host system or from
another VPS) via counter increments.

Note You need to log in before you can comment on or make changes to this bug.