Bug 216452 - (CVE-2006-5751) CVE-2006-5751 Linux kernel get_fdb_entries() integer overflow
CVE-2006-5751 Linux kernel get_fdb_entries() integer overflow
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Thomas Graf
Brian Brock
impact=important,source=redhat,report...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-20 11:24 EST by Marcel Holtmann
Modified: 2014-06-18 04:29 EDT (History)
4 users (show)

See Also:
Fixed In Version: RHSA-2007-0014
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-30 09:42:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2006-11-20 11:24:26 EST
From Eugene Teo:

A potential security vulnerability has been found in the Linux kernel in the
get_fdb_entries() function code. Successful exploitation may potentially allow
execution of arbitrary code with escalated privileges.

The vulnerable code resides in net/bridge/br_ioctl.c:

 56 static _nt get_fdb_entries(struct net_bridge *br, void __user *userbuf,
 57                            unsigned long maxnum, unsigned long offset)
 58 {
 59         int num;
 60         void *buf;
 61         size_t size = maxnum * sizeof(struct __fdb_entry);
 62
 63         if (size > PAGE_SIZE) {
 64                 size = PAGE_SIZE;
 65                 maxnum = PAGE_SIZE/sizeof(struct __fdb_entry);
 66         }
 67
 68         buf = kmalloc(size, GFP_USER);
 69         if (!buf)
 70                 return -ENOMEM;
 71
 72         num = br_fdb_fillbuf(br, buf, maxnum, offset);

By supplying a sufficiently large value to maxnum, we can control the amount of
memory to allocate to buf (i.e. 32 bytes).

net/bridge/br_fdb.c:

219 int br_fdb_fillbuf(struct net_bridge *br, void *buf,
220                    unsigned long maxnum, unsigned long skip)
221 {
222         struct __fdb_entry *fe = buf;
/* ... */
227         memset(buf, 0, maxnum*sizeof(struct __fdb_entry));
228
229         rcu_read_lock();
230         for (i = 0; i < BR_HASH_SIZE; i++) {
231                 hlist_for_each_entry_rcu(f, h, &br->hash[i], hlist) {
232                         if (num >= maxnum)
233                                 goto out;
234
235                         if (has_expired(br, f))
236                                 continue;
237
238                         if (skip) {
239                                 --skip;
240                                 continue;
241                         }
242
243                         /* convert from internal format to API */
244                         memcpy(fe->mac_addr, f->addr.addr, ETH_ALEN);
245                         fe->port_no = f->dst->port_no;
246                         fe->is_local = f->is_local;
247                         if (!f->is_static)
248                                 fe->ageing_timer_value =
jiffies_to_clock_t(jiffies - f->ageing_timer);
249                         ++fe;
250                         ++num;
251                 }
252         }

because fe = buf, and buf can be allocated with only 32 bytes, if one bridge has
more than two interfaces added, memcpy will be able to overwrite other slab
objects, which can be exploited to execute arbitrary code.
Comment 6 Jason Baron 2006-12-11 17:13:56 EST
committed in stream U5 build 42.30. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 7 Jason Baron 2006-12-18 16:50:22 EST
committed in stream E5 build 42.0.4. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 15 Mike Gahagan 2007-01-24 15:48:21 EST
fix for this is in 42.0.8.

Comment 17 Red Hat Bugzilla 2007-01-30 09:42:02 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0014.html

Note You need to log in before you can comment on or make changes to this bug.