Bug 733985 - kernel: regression in CVE-2011-1768 fix [rhel-6.2]
Summary: kernel: regression in CVE-2011-1768 fix [rhel-6.2]
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel
Version: 6.2
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Jiri Benc
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
Depends On:
Blocks: 733986
TreeView+ depends on / blocked
 
Reported: 2011-08-29 04:43 UTC by Eugene Teo (Security Response)
Modified: 2011-09-07 16:42 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 733986 (view as bug list)
Environment:
Last Closed: 2011-09-07 16:42:26 UTC


Attachments (Terms of Use)

Description Eugene Teo (Security Response) 2011-08-29 04:43:03 UTC
Description of problem:
The upstream commit d5aa407f59f5b83d2c50ec88f5bf56d40f1f8978 ("tunnels: fix
netns vs proto registration ordering") was not backported correctly, and results in a NULL pointer dereference in ip6_tunnel.c.

https://bugs.gentoo.org/show_bug.cgi?id=380609
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633738

diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 7fb3e02..53e0d51 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1466,7 +1466,7 @@ static int __init ip6_tunnel_init(void)
 {
        int  err;
 
-       err = register_pernet_device(&ip6_tnl_net_ops);
+       err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
        if (err < 0)
                goto out_pernet;

The upstream commit d5aa407 that has this regression was previously backported in 6.1.z via RHSA-2011:0928.


Note You need to log in before you can comment on or make changes to this bug.