This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 216464 - CVE-2006-5751 Linux kernel get_fdb_entries() integer overflow
CVE-2006-5751 Linux kernel get_fdb_entries() integer overflow
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Thomas Graf
Brian Brock
impact=important,source=redhat,report...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-20 12:13 EST by Marcel Holtmann
Modified: 2014-06-18 04:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-20 07:23:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2006-11-20 12:13:09 EST
From Eugene Teo:

A potential security vulnerability has been found in the Linux kernel in the
get_fdb_entries() function code. Successful exploitation may potentially allow
execution of arbitrary code with escalated privileges.

The vulnerable code resides in net/bridge/br_ioctl.c:

 56 static _nt get_fdb_entries(struct net_bridge *br, void __user *userbuf,
 57                            unsigned long maxnum, unsigned long offset)
 58 {
 59         int num;
 60         void *buf;
 61         size_t size = maxnum * sizeof(struct __fdb_entry);
 62
 63         if (size > PAGE_SIZE) {
 64                 size = PAGE_SIZE;
 65                 maxnum = PAGE_SIZE/sizeof(struct __fdb_entry);
 66         }
 67
 68         buf = kmalloc(size, GFP_USER);
 69         if (!buf)
 70                 return -ENOMEM;
 71
 72         num = br_fdb_fillbuf(br, buf, maxnum, offset);

By supplying a sufficiently large value to maxnum, we can control the amount of
memory to allocate to buf (i.e. 32 bytes).

net/bridge/br_fdb.c:

219 int br_fdb_fillbuf(struct net_bridge *br, void *buf,
220                    unsigned long maxnum, unsigned long skip)
221 {
222         struct __fdb_entry *fe = buf;
/* ... */
227         memset(buf, 0, maxnum*sizeof(struct __fdb_entry));
228
229         rcu_read_lock();
230         for (i = 0; i < BR_HASH_SIZE; i++) {
231                 hlist_for_each_entry_rcu(f, h, &br->hash[i], hlist) {
232                         if (num >= maxnum)
233                                 goto out;
234
235                         if (has_expired(br, f))
236                                 continue;
237
238                         if (skip) {
239                                 --skip;
240                                 continue;
241                         }
242
243                         /* convert from internal format to API */
244                         memcpy(fe->mac_addr, f->addr.addr, ETH_ALEN);
245                         fe->port_no = f->dst->port_no;
246                         fe->is_local = f->is_local;
247                         if (!f->is_static)
248                                 fe->ageing_timer_value =
jiffies_to_clock_t(jiffies - f->ageing_timer);
249                         ++fe;
250                         ++num;
251                 }
252         }

because fe = buf, and buf can be allocated with only 32 bytes, if one bridge has
more than two interfaces added, memcpy will be able to overwrite other slab
objects, which can be exploited to execute arbitrary code.
Comment 2 Jay Turner 2006-11-21 13:51:08 EST
QE ack for RHEL5.
Comment 4 Thomas Graf 2006-12-20 07:23:43 EST
Already fixed in RHEL5.

Note You need to log in before you can comment on or make changes to this bug.