191703 – CVE-2006-0039 netfilter do_add_counters race

Bug 191703 - CVE-2006-0039 netfilter do_add_counters race

Summary: CVE-2006-0039 netfilter do_add_counters race

Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 2.1
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	2.1
Hardware:	ia64
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Don Howard
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:	impact=low,source=kernelsec,reported=...
Keywords:	Security
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-05-15 11:26 UTC by Marcel Holtmann
Modified:	2007-11-30 22:06 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Environment:	(edit)
Last Closed:	2006-07-05 20:01:08 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Marcel Holtmann 2006-05-15 11:26:03 UTC

Solar Designer found a race condition in do_add_counters(). The beginning of
paddc is supposed to be the same as tmp which was sanity-checked above, but it
might not be the same in reality. In case the integer overflow and/or the race
condition are triggered, paddc->num_counters might not match the allocation size
for paddc. If the check below (t->private->number != paddc->num_counters)
nevertheless passes (perhaps this requires the race condition to be triggered),
IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
potentially leaking sensitive data (e.g., passwords from host system or from
another VPS) via counter increments.

Note You need to log in before you can comment on or make changes to this bug.