Bug 979936 - (CVE-2013-2224) CVE-2013-2224 kernel: net: IP_REPOPTS invalid free
CVE-2013-2224 kernel: net: IP_REPOPTS invalid free
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130630,repo...
: Security
Depends On: 979788 980141 980142 980144 998389
Blocks: 979907
  Show dependency treegraph
 
Reported: 2013-07-01 03:54 EDT by Prasad J Pandit
Modified: 2015-07-31 03:08 EDT (History)
35 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-22 11:31:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (845 bytes, patch)
2013-07-01 06:30 EDT, Petr Matousek
no flags Details | Diff
RHEL-fix-freeing-RCU-protected-IP-options (1.64 KB, patch)
2013-07-01 07:58 EDT, Kontantin Khlebnikov
no flags Details | Diff

  None (edit)
Description Prasad J Pandit 2013-07-01 03:54:14 EDT
Linux kernel is found to be vulnerable to a denial of service and/or possible
code execution flaw caused by invalid free  while sending message with
sendmsg(2) call with IP_RETOPTS socket option set. This option is set to pass
unprocessed IP options along with timestamps to a user via IP_OPTIONS control
message.

An unprivileged user/program could use this flaw to crash the system resulting
in DoS or possibly gain root privileges via arbitrary code execution.

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2013/06/30/1

This issue was introduced via Red Hat Enterprise Linux specific patch for CVE-2012-3552.
Comment 1 Prasad J Pandit 2013-07-01 03:57:35 EDT
Statement:

This issue did not affect the version of the kernel package as shipped with Red Hat Enterprise MRG 2.

This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Future kernel updates for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 may address this issue.
Comment 2 Petr Matousek 2013-07-01 06:30:35 EDT
Created attachment 767318 [details]
Proposed patch

Looks to me like rhel only bug introduced by fixes for CVE-2012-3552 -- we are kfree()ing kzalloc_ip_options() alloced opts.

I'm brewing rhel-6 kernel with attached patch to test that.

Jiri, could you please have a quick look at the issue?
Comment 3 Kontantin Khlebnikov 2013-07-01 07:58:18 EDT
Created attachment 767364 [details]
RHEL-fix-freeing-RCU-protected-IP-options

Bug was introduced in backport of mainline commit:
f6d8bd051c391c1c0458a30b2a7abcd939329259 (inet: add RCU protection to inet->opt)
    
This patch calls right freeing method from all ip_cmsg_send() callers.
Struct ip_options is embedded into struct ip_options_rcu, so kfree should be
called for right offset, otherwise it will poison slab with misaligned objects.
These misaligned objects may intersect and corrupt each other.
Comment 4 Petr Matousek 2013-07-01 08:02:28 EDT
Hi Konstantin,

(In reply to Kontantin Khlebnikov from comment #3)
> Created attachment 767364 [details]
> RHEL-fix-freeing-RCU-protected-IP-options
> 
> Bug was introduced in backport of mainline commit:
> f6d8bd051c391c1c0458a30b2a7abcd939329259 (inet: add RCU protection to
> inet->opt)

thank you for your submission. I am currently building kernel with patch from comment #2 (the same as yours) and will report back with the testing results.

Thanks,
--
Petr Matousek / Red Hat Security Response Team
Comment 5 Jiri Pirko 2013-07-01 08:09:46 EDT
Patch from comment #2 looks good to me.
Comment 6 Petr Matousek 2013-07-01 10:08:00 EDT
(In reply to Petr Matousek from comment #4)
...
> thank you for your submission. I am currently building kernel with patch
> from comment #2 (the same as yours) and will report back with the testing

The proposed patch indeed fixes the issue in question.
Comment 9 Steven Ciaburri 2013-07-01 12:25:53 EDT
The patch appears to work good on our end too!
Comment 10 Johnny Hughes 2013-07-02 18:04:28 EDT
CentOS has produced the following kernel that addresses this issue as an interim (use at your own risk) kernel for EL6:

http://people.centos.org/hughesjr/c6kernel/2.6.32-358.11.1.el6.cve20132224/

It applies the patch in comment #3 above to the current CentOS kernel.
Comment 11 Johnny Hughes 2013-07-17 02:08:14 EDT
CentOS has produced another kernel that addresses this issue with the newer 2.6.32-358.14.1.el6 kernel:  

http://people.centos.org/hughesjr/c6kernel/2.6.32-358.14.1.el6.cve20132224/

It also is just the standard kernel and the one patch in comment #3
Comment 13 errata-xmlrpc 2013-08-20 14:59:49 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1166 https://rhn.redhat.com/errata/RHSA-2013-1166.html
Comment 14 errata-xmlrpc 2013-08-27 15:30:11 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1173 https://rhn.redhat.com/errata/RHSA-2013-1173.html
Comment 15 errata-xmlrpc 2013-09-03 16:30:54 EDT
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1195 https://rhn.redhat.com/errata/RHSA-2013-1195.html
Comment 16 errata-xmlrpc 2013-10-22 13:03:17 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only

Via RHSA-2013:1450 https://rhn.redhat.com/errata/RHSA-2013-1450.html

Note You need to log in before you can comment on or make changes to this bug.