Bug 191703 - CVE-2006-0039 netfilter do_add_counters race
Summary: CVE-2006-0039 netfilter do_add_counters race
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel
Version: 2.1
Hardware: ia64
OS: Linux
medium
low
Target Milestone: ---
Assignee: Don Howard
QA Contact: Brian Brock
URL:
Whiteboard: impact=low,source=kernelsec,reported=...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-15 11:26 UTC by Marcel Holtmann
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-07-05 20:01:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Marcel Holtmann 2006-05-15 11:26:03 UTC
Solar Designer found a race condition in do_add_counters(). The beginning of
paddc is supposed to be the same as tmp which was sanity-checked above, but it
might not be the same in reality. In case the integer overflow and/or the race
condition are triggered, paddc->num_counters might not match the allocation size
for paddc. If the check below (t->private->number != paddc->num_counters)
nevertheless passes (perhaps this requires the race condition to be triggered),
IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
potentially leaking sensitive data (e.g., passwords from host system or from
another VPS) via counter increments.


Note You need to log in before you can comment on or make changes to this bug.