Reported by Mark Smith: When the handle_ip_over_ddp() function checks for the "ipddp0" device and the device is not found, the function does not free the socket buffer structure (skb), leading to a memory leak. This only happens if you have the appletalk module loaded, but not the ipddp module, as this only happens when the "ipddp0" device does not exist. For details see http://kbase.redhat.com/faq/docs/DOC-19077. Analysis: call path: ltalk_rcv -> atalk_rcv -> handle_ip_over_ddp net/appletalk/ddp.c: 1382 /** 1383 * atalk_rcv - Receive a packet (in skb) from device dev 1384 * @skb - packet received 1385 * @dev - network device where the packet comes from 1386 * @pt - packet type 1387 * 1388 * Receive a packet (in skb) from device dev. This has come from the SNAP 1389 * decoder, and on entry skb->transport_header is the DDP header, skb->len 1390 * is the DDP header, skb->len is the DDP length. The physical headers 1391 * have been extracted. PPP should probably pass frames marked as for this 1392 * layer. [ie ARPHRD_ETHERTALK] 1393 */ 1394 static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, 1395 struct packet_type *pt, struct net_device *orig_dev) 1396 { [...] 1456 /* if IP over DDP is not selected this code will be optimized out */ 1457 if (is_ip_over_ddp(skb)) 1458 return handle_ip_over_ddp(skb); 1267 static int handle_ip_over_ddp(struct sk_buff *skb) 1268 { 1269 struct net_device *dev = __dev_get_by_name(&init_net, "ipddp0"); 1270 struct net_device_stats *stats; 1271 1272 /* This needs to be able to handle ipddp"N" devices */ 1273 if (!dev) 1274 return -ENODEV; <-- did not call kfree_skb(skb) when the ipddp module is not loaded, and thus the device does not exist. Also in linux-2.4.37.y: 1360 /* 1361 * Receive a packet (in skb) from device dev. This has come from the SNAP 1362 * decoder, and on entry skb->h.raw is the DDP header, skb->len is the DDP 1363 * header, skb->len is the DDP length. The physical headers have been 1364 * extracted. PPP should probably pass frames marked as for this layer. 1365 * [ie ARPHRD_ETHERTALK] 1366 */ 1367 static int atalk_rcv(struct sk_buff *skb, struct net_device *dev, 1368 struct packet_type *pt) 1369 { [...] 1496 #if defined(CONFIG_IPDDP) || defined(CONFIG_IPDDP_MODULE) 1497 /* Check if IP-over-DDP */ 1498 if (skb->data[12] == 22) { 1499 struct net_device *dev = __dev_get_by_name("ipddp0"); 1500 struct net_device_stats *stats; 1501 1502 /* This needs to be able to handle ipddp"N" devices */ 1503 if (!dev) 1504 return -ENODEV; <-- did not call kfree_skb too [...] 1536 freeit: kfree_skb(skb); 1537 out: return 0; 1538 } The patch also improved the aarp_send_ddp() function so that it handles failures and frees up of skb properly, rather than depending it on the caller.
This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise MRG. It is also available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. Future kernel updates in Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG may address this issue. Before updates are applied, it is possible to reduce the risk and mitigate this flaw by: * ensuring that both the appletalk and the ipddp modules are loaded, and remain loaded. The "ipddp0" device is automatically created by the ipddp module, causing the packets to be forwarded onto the IP protocol handling code, and thus avoiding the vulnerability as it only happens when this device does not exist. or * disabling the appletalk module, and ensuring that it cannot be loaded. The steps outlined below will not work if the module is already loaded. If the module is loaded and cannot be removed, for example, via "modprobe -r", a reboot will be required before the change takes effect. The "install" command is used to direct the system to run the "/bin/true" command instead of inserting the module if it is called. Red Hat Enterprise Linux 3 Add the following entry to the end of the /etc/modules.conf file: install appletalk /bin/true Note: The kernel-unsupported package provides the appletalk module. This module is not available if you do not have kernel-unsupported installed. Red Hat Enterprise MRG Add the following entry to the end of the /etc/modprobe.conf file: install appletalk /bin/true Updated: Sept 17th, 2009
Upstream commit: http://git.kernel.org/linus/ffcfb8db540ff879c2a85bf7e404954281443414 CVE request: http://article.gmane.org/gmane.comp.security.oss.general/2100 Note, the next kernel update for Red Hat Enterprise MRG will not have support for the AppleTalk protocol. See bug 522503.
kernel-2.6.27.35-170.2.94.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/kernel-2.6.27.35-170.2.94.fc10
kernel-2.6.27.35-170.2.94.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
kernel-2.6.30.9-90.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.30.9-90.fc11
kernel-2.6.30.9-90.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.