Bug 751006 (CVE-2011-4112) - CVE-2011-4112 kernel: null ptr deref at dev_queue_xmit+0x35/0x4d0
Summary: CVE-2011-4112 kernel: null ptr deref at dev_queue_xmit+0x35/0x4d0
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-4112
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 751372 755403 755404 755410
Blocks: 750960
TreeView+ depends on / blocked
 
Reported: 2011-11-03 08:10 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 13:48 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-24 14:16:48 UTC


Attachments (Terms of Use)

Description Eugene Teo (Security Response) 2011-11-03 08:10:55 UTC
When I am running the bridge over vlan testing,I got a kernel panic at
dev_queue_xmit+0x35/0x4d0,

Version-Release number of selected component (if applicable):
kernel-2.6.32-216

How reproducible:
100%

Actual results:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000006
IP: [<ffffffff814309a5>] dev_queue_xmit+0x35/0x6b0
PGD 0 
Oops: 0000 [#1] SMP 
last sysfs file: /sys/module/pktgen/initstate
CPU 0 
Modules linked in: bonding bridge 8021q garp stp llc pktgen autofs4 sunrpc
pcc_cpufreq ipv6 power_meter be2net ixgbe dca mdio netxen_nic microcode
serio_raw iTCO_wdt iTCO_vendor_support hpilo hpwdt sg i7core_edac edac_core
shpchp ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif lpfc scsi_transport_fc
scsi_tgt pata_acpi ata_generic ata_piix hpsa radeon ttm drm_kms_helper drm
i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded:
bonding]

Pid: 3374, comm: kpktgend_0 Not tainted 2.6.32-214.el6.x86_64 #1
Hewlett-Packard ProLiant DL580 G7
RIP: 0010:[<ffffffff814309a5>]  [<ffffffff814309a5>] dev_queue_xmit+0x35/0x6b0
RSP: 0018:ffff88023ac2bbc0  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8802360cecf8 RCX: 0000000000000003
RDX: 0000000000000000 RSI: ffff880437b2e6e0 RDI: ffff8802360cecf8
RBP: ffff88023ac2bc00 R08: ffffffffa0483520 R09: ffff88023ac2bcb8
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8802397b5020 R14: ffff880437b2e020 R15: ffff8804385fe540
FS:  0000000000000000(0000) GS:ffff88002f600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000006 CR3: 0000000001a85000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process kpktgend_0 (pid: 3374, threadinfo ffff88023ac2a000, task
ffff8802386e8a80)
Stack:
 ffff88023ac2bbd0 ffffffff00000000 ffff88023ac2bc00 ffff8804385fe540
<0> 0000000000000000 ffff8802397f2dc0 ffff880437b2e020 ffff8804385fe540
<0> ffff88023ac2bc20 ffffffffa047ba34 ffff8802360cecf8 0000000000000000
Call Trace:
 [<ffffffffa047ba34>] vlan_dev_hwaccel_hard_start_xmit+0x84/0xb0 [8021q]
 [<ffffffff8142c67f>] dev_hard_start_xmit+0x20f/0x3f0
 [<ffffffff81430ec6>] dev_queue_xmit+0x556/0x6b0
 [<ffffffffa0483598>] br_dev_queue_push_xmit+0x78/0xe0 [bridge]
 [<ffffffffa0483658>] br_forward_finish+0x58/0x60 [bridge]
 [<ffffffffa0483838>] __br_deliver+0xa8/0x110 [bridge]
 [<ffffffffa0483829>] ? __br_deliver+0x99/0x110 [bridge]
 [<ffffffffa04838d5>] br_deliver+0x35/0x40 [bridge]
 [<ffffffffa04825b8>] br_dev_xmit+0xa8/0x120 [bridge]
 [<ffffffffa04aa8f5>] pktgen_thread_worker+0x835/0x1bf0 [pktgen]
 [<ffffffffa0482510>] ? br_dev_xmit+0x0/0x120 [bridge]
 [<ffffffff81090c00>] ? autoremove_wake_function+0x0/0x40
 [<ffffffff81090c00>] ? autoremove_wake_function+0x0/0x40
 [<ffffffffa04aa0c0>] ? pktgen_thread_worker+0x0/0x1bf0 [pktgen]
 [<ffffffff81090896>] kthread+0x96/0xa0
 [<ffffffff8100c14a>] child_rip+0xa/0x20
 [<ffffffff81090800>] ? kthread+0x0/0xa0
 [<ffffffff8100c140>] ? child_rip+0x0/0x20
Code: 5d d8 4c 89 65 e0 4c 89 6d e8 4c 89 75 f0 4c 89 7d f8 0f 1f 44 00 00 8b
87 cc 00 00 00 4c 8b 6f 20 48 03 87 d0 00 00 00 48 89 fb <66> 83 78 06 00 0f 84
58 01 00 00 0f b7 50 0a 41 8b 4d 70 c1 e2 
RIP  [<ffffffff814309a5>] dev_queue_xmit+0x35/0x6b0
 RSP <ffff88023ac2bbc0>
CR2: 0000000000000006


Expected results:
no panic

Additional info:

Upstream commit:
http://git.kernel.org/linus/550fd08c2cebad61c548def135f67aba284c6162
http://git.kernel.org/linus/d8873315065f1f527c7c380402cf59b1e1d0ae36

Comment 5 Petr Matousek 2011-11-24 14:16:48 UTC
The panic is on the sending side with pktgen. /proc/net/pktgen/pgctrl is 600 and also CAP_NET_ADMIN only. This is pktgen specific issue.

Closing as NOTABUG.

Comment 6 Petr Matousek 2011-11-24 14:45:10 UTC
CVE-2011-4112 REJECT request
http://www.openwall.com/lists/oss-security/2011/11/24/3

Comment 7 Petr Matousek 2012-05-22 09:06:52 UTC
Statement:

Red Hat Security Response team does not consider this bug to be security relevant one due to the privileges required to exploit this issue.


Note You need to log in before you can comment on or make changes to this bug.