Bug 489300 - fix dst cache leak
fix dst cache leak
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.8
All Linux
medium Severity medium
: rc
: ---
Assigned To: Neil Horman
Red Hat Kernel QE team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-09 08:09 EDT by Eugene Teo (Security Response)
Modified: 2009-05-18 15:33 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-18 15:33:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1024 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 4.8 kernel security and bug fix update 2009-05-18 10:57:26 EDT

  None (edit)
Description Eugene Teo (Security Response) 2009-03-09 08:09:27 EDT
From Neil Horman:
"I... see one small error that could lead to a dst cache leak.  Its not a security bug, IMO, since it requires that there be enough ip header options in the input skb to overflow the output skb (which shouldn't be possible, but if for some reason it happens it can leak a dst refcnt.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=485163#c46 (private)
Comment 1 RHEL Product and Program Management 2009-03-09 10:07:44 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Neil Horman 2009-03-09 10:37:49 EDT
Thomas, Would you mind checking my thinking on this.  In handling a rhel5 dst leak, i was looking at the rhel4 icmp_send code and noted that you made a change, which I acked, in commit 31bfb0aaf4653624ea6f83b4b178db69796bbc8a.  the intent was to fix an extra dst_release that we shouldn't have done.  But looking at the code I think we had it right the first time.  We call ip_route_output_key prior to call ip_options_copy.  If the copy fails, we need to release that dst_entry
Comment 3 RHEL Product and Program Management 2009-03-12 15:32:16 EDT
Since RHEL 4.8 External Beta has begun, and this bugzilla remains 
unresolved, it has been rejected as it is not proposed as exception or 
blocker.
Comment 4 RHEL Product and Program Management 2009-03-16 11:38:30 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Vivek Goyal 2009-03-17 11:01:54 EDT
Committed in 84.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 10 errata-xmlrpc 2009-05-18 15:33:15 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1024.html

Note You need to log in before you can comment on or make changes to this bug.