Bug 191703 - CVE-2006-0039 netfilter do_add_counters race
Summary: CVE-2006-0039 netfilter do_add_counters race
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel
Version: 2.1
Hardware: ia64
OS: Linux
medium
low
Target Milestone: ---
Assignee: Don Howard
QA Contact: Brian Brock
URL:
Whiteboard: impact=low,source=kernelsec,reported=...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-15 11:26 UTC by Marcel Holtmann
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-07-05 20:01:08 UTC


Attachments (Terms of Use)

Description Marcel Holtmann 2006-05-15 11:26:03 UTC
Solar Designer found a race condition in do_add_counters(). The beginning of
paddc is supposed to be the same as tmp which was sanity-checked above, but it
might not be the same in reality. In case the integer overflow and/or the race
condition are triggered, paddc->num_counters might not match the allocation size
for paddc. If the check below (t->private->number != paddc->num_counters)
nevertheless passes (perhaps this requires the race condition to be triggered),
IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
potentially leaking sensitive data (e.g., passwords from host system or from
another VPS) via counter increments.


Note You need to log in before you can comment on or make changes to this bug.