First Last Prev Next    This bug is not in your last search results.
Bug 191703 - CVE-2006-0039 netfilter do_add_counters race
CVE-2006-0039 netfilter do_add_counters race
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel (Show other bugs)
2.1
ia64 Linux
medium Severity low
: ---
: ---
Assigned To: Don Howard
Brian Brock
impact=low,source=kernelsec,reported=...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-15 07:26 EDT by Marcel Holtmann
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-05 16:01:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Marcel Holtmann 2006-05-15 07:26:03 EDT 
Solar Designer found a race condition in do_add_counters(). The beginning of
paddc is supposed to be the same as tmp which was sanity-checked above, but it
might not be the same in reality. In case the integer overflow and/or the race
condition are triggered, paddc->num_counters might not match the allocation size
for paddc. If the check below (t->private->number != paddc->num_counters)
nevertheless passes (perhaps this requires the race condition to be triggered),
IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
potentially leaking sensitive data (e.g., passwords from host system or from
another VPS) via counter increments.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.