Bug 702303 (CVE-2011-1767, CVE-2011-1768) - CVE-2011-1767 CVE-2011-1768 kernel: netns vs proto registration ordering
Summary: CVE-2011-1767 CVE-2011-1768 kernel: netns vs proto registration ordering
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1767, CVE-2011-1768
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 702305 702306 702307
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-05 10:22 UTC by Petr Matousek
Modified: 2021-02-24 15:30 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-11 02:11:23 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0928 0 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2011-07-12 21:11:55 UTC
Red Hat Product Errata RHSA-2011:1253 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2011-09-12 19:43:48 UTC

Description Petr Matousek 2011-05-05 10:22:20 UTC 
Description:
1) CVE-2011-1767
gre: fix netns vs proto registration ordering

GRE protocol receive hook can be called right after protocol addition is done.
If netns stuff is not yet initialized, we're going to oops in
net_generic().

This is remotely oopsable if ip_gre is compiled as module and packet
comes at unfortunate moment of module loading.

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c2892f02

References:
http://www.openwall.com/lists/oss-security/2010/02/18/3
http://patchwork.ozlabs.org/patch/45553/

2) CVE-2011-1768
tunnels: fix netns vs proto registration ordering

Same stuff as in ip_gre patch: receive hook can be called before netns
setup is done, oopsing in net_generic().

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d5aa407f

References:
http://www.openwall.com/lists/oss-security/2010/02/18/3
http://patchwork.ozlabs.org/patch/45554/
Comment 3 Eugene Teo (Security Response) 2011-05-06 01:06:47 UTC 
Statement:

The Linux kernel as shipped with Red Hat Enterprise Linux 4, and 5 did not provide support for Network Namespace, and therefore are not affected by this issue. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0928.html, and https://rhn.redhat.com/errata/RHSA-2011-1253.html.
Comment 4 Eugene Teo (Security Response) 2011-05-06 01:07:58 UTC 
Note that for this issue to occur, packets have to come when the module is loading, the window for this to happen is small.
Comment 7 errata-xmlrpc 2011-07-12 21:12:00 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0928 https://rhn.redhat.com/errata/RHSA-2011-0928.html
Comment 8 Eugene Teo (Security Response) 2011-08-29 04:38:46 UTC 
> 2) CVE-2011-1768
> tunnels: fix netns vs proto registration ordering
> 
> Same stuff as in ip_gre patch: receive hook can be called before netns
> setup is done, oopsing in net_generic().

A regression was found that can result in a NULL pointer dereference when the ip6_tunnel module is loaded, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633738.

Filed bugs:
Bug 733985 - kernel: regression in CVE-2011-1768 fix [rhel-6.2]
Bug 733986 - kernel: regression in CVE-2011-1768 fix [mrg-2.0]
Comment 9 errata-xmlrpc 2011-09-12 19:45:22 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html
Note You need to log in before you can comment on or make changes to this bug.