Bug 212144 - CVE-2006-6535 unbalanced local_bh_enable() in dev_queue_xmit()
Summary: CVE-2006-6535 unbalanced local_bh_enable() in dev_queue_xmit()
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Neil Horman
QA Contact: Brian Brock
URL:
Whiteboard: impact=moderate,source=bugzilla,repor...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-10-25 10:53 UTC by Vasily Averin
Modified: 2008-01-09 17:29 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2007-01-30 14:28:55 UTC


Attachments (Terms of Use)
this patch fixes unbalanced local_bh_enable() in dev_queue_xmit() (673 bytes, patch)
2006-10-25 10:54 UTC, Vasily Averin
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0014 normal SHIPPED_LIVE Important: kernel security update 2007-01-30 14:25:00 UTC

Description Vasily Averin 2006-10-25 10:53:59 UTC
Kostantin Khorenko from OpenVZ/Virtuozzo linux kernel team has noticed the
following issue on RHEL4 (2.6.9-42.0.3 and 2.6.9-42.19) kernels.

dev_queue_xmit() have wrong error path: this function can fail before
local_bh_disable() call. In this case it jumps to out_kfree_skb label where it
calls local_bh_enable(). As a result it can lead to the data corruptions and the
node lockups.

This issue was fixed in linux mainstream by the following patches:
http://linux.bkbits.net:8080/linux-2.6/gnupatch@4186e5bfgUOMBbA6xFaY0_z84kaURw
http://linux.bkbits.net:8080/linux-2.6/gnupatch@418941b8x3BdnonauMI-deDf7S3plw

We are not sure that it can be user-exploitable, however from our point of view
it can happen on some hardware and software setups.

Comment 1 Vasily Averin 2006-10-25 10:54:00 UTC
Created attachment 139333 [details]
this patch fixes unbalanced local_bh_enable() in dev_queue_xmit()

Comment 2 Neil Horman 2006-11-07 21:07:29 UTC
looks reasonable.  I'll review it further in the AM.  thanks!

Comment 3 Jason Baron 2006-11-21 21:22:19 UTC
committed in stream U5 build 42.26. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/


Comment 4 Jason Baron 2006-12-18 21:43:58 UTC
committed in stream E5 build 42.0.4

Comment 6 Mike Gahagan 2007-01-17 20:48:02 UTC
I can confirm that the fix is in the 42.0.6 kernel.

Comment 8 Red Hat Bugzilla 2007-01-30 14:28:55 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0014.html



Note You need to log in before you can comment on or make changes to this bug.