Bug 702303 - (CVE-2011-1767, CVE-2011-1768) CVE-2011-1767 CVE-2011-1768 kernel: netns vs proto registration ordering
CVE-2011-1767 CVE-2011-1768 kernel: netns vs proto registration ordering
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100216,reported=20110505,sou...
: Security
Depends On: 702305 702306 702307
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-05 06:22 EDT by Petr Matousek
Modified: 2015-07-31 02:40 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-10 21:11:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2011-05-05 06:22:20 EDT
Description:
1) CVE-2011-1767
gre: fix netns vs proto registration ordering

GRE protocol receive hook can be called right after protocol addition is done.
If netns stuff is not yet initialized, we're going to oops in
net_generic().

This is remotely oopsable if ip_gre is compiled as module and packet
comes at unfortunate moment of module loading.

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c2892f02

References:
http://www.openwall.com/lists/oss-security/2010/02/18/3
http://patchwork.ozlabs.org/patch/45553/

2) CVE-2011-1768
tunnels: fix netns vs proto registration ordering

Same stuff as in ip_gre patch: receive hook can be called before netns
setup is done, oopsing in net_generic().

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d5aa407f

References:
http://www.openwall.com/lists/oss-security/2010/02/18/3
http://patchwork.ozlabs.org/patch/45554/
Comment 3 Eugene Teo (Security Response) 2011-05-05 21:06:47 EDT
Statement:

The Linux kernel as shipped with Red Hat Enterprise Linux 4, and 5 did not provide support for Network Namespace, and therefore are not affected by this issue. This has been addressed in Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0928.html, and https://rhn.redhat.com/errata/RHSA-2011-1253.html.
Comment 4 Eugene Teo (Security Response) 2011-05-05 21:07:58 EDT
Note that for this issue to occur, packets have to come when the module is loading, the window for this to happen is small.
Comment 7 errata-xmlrpc 2011-07-12 17:12:00 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0928 https://rhn.redhat.com/errata/RHSA-2011-0928.html
Comment 8 Eugene Teo (Security Response) 2011-08-29 00:38:46 EDT
> 2) CVE-2011-1768
> tunnels: fix netns vs proto registration ordering
> 
> Same stuff as in ip_gre patch: receive hook can be called before netns
> setup is done, oopsing in net_generic().

A regression was found that can result in a NULL pointer dereference when the ip6_tunnel module is loaded, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633738.

Filed bugs:
Bug 733985 - kernel: regression in CVE-2011-1768 fix [rhel-6.2]
Bug 733986 - kernel: regression in CVE-2011-1768 fix [mrg-2.0]
Comment 9 errata-xmlrpc 2011-09-12 15:45:22 EDT
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2011:1253 https://rhn.redhat.com/errata/RHSA-2011-1253.html

Note You need to log in before you can comment on or make changes to this bug.