Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 979936 (CVE-2013-2224) - CVE-2013-2224 kernel: net: IP_REPOPTS invalid free
Summary: CVE-2013-2224 kernel: net: IP_REPOPTS invalid free
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2224
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 979788 980141 980142 980144 998389
Blocks: 979907
TreeView+ depends on / blocked
 
Reported: 2013-07-01 07:54 UTC by Prasad J Pandit
Modified: 2021-02-17 07:33 UTC (History)
35 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-22 15:31:08 UTC


Attachments (Terms of Use)
Proposed patch (845 bytes, patch)
2013-07-01 10:30 UTC, Petr Matousek
no flags Details | Diff
RHEL-fix-freeing-RCU-protected-IP-options (1.64 KB, patch)
2013-07-01 11:58 UTC, Kontantin Khlebnikov
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1166 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2013-08-20 22:56:21 UTC
Red Hat Product Errata RHSA-2013:1173 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2013-08-27 23:23:53 UTC
Red Hat Product Errata RHSA-2013:1195 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2013-09-04 00:27:43 UTC
Red Hat Product Errata RHSA-2013:1450 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2013-10-22 21:02:36 UTC

Description Prasad J Pandit 2013-07-01 07:54:14 UTC
Linux kernel is found to be vulnerable to a denial of service and/or possible
code execution flaw caused by invalid free  while sending message with
sendmsg(2) call with IP_RETOPTS socket option set. This option is set to pass
unprocessed IP options along with timestamps to a user via IP_OPTIONS control
message.

An unprivileged user/program could use this flaw to crash the system resulting
in DoS or possibly gain root privileges via arbitrary code execution.

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2013/06/30/1

This issue was introduced via Red Hat Enterprise Linux specific patch for CVE-2012-3552.

Comment 1 Prasad J Pandit 2013-07-01 07:57:35 UTC
Statement:

This issue did not affect the version of the kernel package as shipped with Red Hat Enterprise MRG 2.

This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Future kernel updates for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 may address this issue.

Comment 2 Petr Matousek 2013-07-01 10:30:35 UTC
Created attachment 767318 [details]
Proposed patch

Looks to me like rhel only bug introduced by fixes for CVE-2012-3552 -- we are kfree()ing kzalloc_ip_options() alloced opts.

I'm brewing rhel-6 kernel with attached patch to test that.

Jiri, could you please have a quick look at the issue?

Comment 3 Kontantin Khlebnikov 2013-07-01 11:58:18 UTC
Created attachment 767364 [details]
RHEL-fix-freeing-RCU-protected-IP-options

Bug was introduced in backport of mainline commit:
f6d8bd051c391c1c0458a30b2a7abcd939329259 (inet: add RCU protection to inet->opt)
    
This patch calls right freeing method from all ip_cmsg_send() callers.
Struct ip_options is embedded into struct ip_options_rcu, so kfree should be
called for right offset, otherwise it will poison slab with misaligned objects.
These misaligned objects may intersect and corrupt each other.

Comment 4 Petr Matousek 2013-07-01 12:02:28 UTC
Hi Konstantin,

(In reply to Kontantin Khlebnikov from comment #3)
> Created attachment 767364 [details]
> RHEL-fix-freeing-RCU-protected-IP-options
> 
> Bug was introduced in backport of mainline commit:
> f6d8bd051c391c1c0458a30b2a7abcd939329259 (inet: add RCU protection to
> inet->opt)

thank you for your submission. I am currently building kernel with patch from comment #2 (the same as yours) and will report back with the testing results.

Thanks,
--
Petr Matousek / Red Hat Security Response Team

Comment 5 Jiri Pirko 2013-07-01 12:09:46 UTC
Patch from comment #2 looks good to me.

Comment 6 Petr Matousek 2013-07-01 14:08:00 UTC
(In reply to Petr Matousek from comment #4)
...
> thank you for your submission. I am currently building kernel with patch
> from comment #2 (the same as yours) and will report back with the testing

The proposed patch indeed fixes the issue in question.

Comment 9 Steven Ciaburri 2013-07-01 16:25:53 UTC
The patch appears to work good on our end too!

Comment 10 Johnny Hughes 2013-07-02 22:04:28 UTC
CentOS has produced the following kernel that addresses this issue as an interim (use at your own risk) kernel for EL6:

http://people.centos.org/hughesjr/c6kernel/2.6.32-358.11.1.el6.cve20132224/

It applies the patch in comment #3 above to the current CentOS kernel.

Comment 11 Johnny Hughes 2013-07-17 06:08:14 UTC
CentOS has produced another kernel that addresses this issue with the newer 2.6.32-358.14.1.el6 kernel:  

http://people.centos.org/hughesjr/c6kernel/2.6.32-358.14.1.el6.cve20132224/

It also is just the standard kernel and the one patch in comment #3

Comment 13 errata-xmlrpc 2013-08-20 18:59:49 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1166 https://rhn.redhat.com/errata/RHSA-2013-1166.html

Comment 14 errata-xmlrpc 2013-08-27 19:30:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1173 https://rhn.redhat.com/errata/RHSA-2013-1173.html

Comment 15 errata-xmlrpc 2013-09-03 20:30:54 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1195 https://rhn.redhat.com/errata/RHSA-2013-1195.html

Comment 16 errata-xmlrpc 2013-10-22 17:03:17 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only

Via RHSA-2013:1450 https://rhn.redhat.com/errata/RHSA-2013-1450.html


Note You need to log in before you can comment on or make changes to this bug.