733985 – kernel: regression in CVE-2011-1768 fix [rhel-6.2]

Bug 733985 - kernel: regression in CVE-2011-1768 fix [rhel-6.2]

Summary: kernel: regression in CVE-2011-1768 fix [rhel-6.2]

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jiri Benc
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	733986
TreeView+	depends on / blocked

Reported:	2011-08-29 04:43 UTC by Eugene Teo (Security Response)
Modified:	2011-09-07 16:42 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	733986 (view as bug list)
Environment:
Last Closed:	2011-09-07 16:42:26 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Eugene Teo (Security Response) 2011-08-29 04:43:03 UTC

Description of problem:
The upstream commit d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978 ("tunnels: fix
netns vs proto registration ordering") was not backported correctly, and results in a NULL pointer dereference in ip6_tunnel.c.

https://bugs.gentoo.org/show_bug.cgi?id=380609
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633738

diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 7fb3e02..53e0d51 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1466,7 +1466,7 @@ static int __init ip6_tunnel_init(void)
 {
        int  err;
 
-       err = register_pernet_device(&ip6_tnl_net_ops);
+       err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
        if (err < 0)
                goto out_pernet;

The upstream commit d5aa407 that has this regression was previously backported in 6.1.z via RHSA-2011:0928.

Note You need to log in before you can comment on or make changes to this bug.