Description of problem: http://marc.info/?l=linux-netdev&m=126343325807340&w=2 This fixes CERT-FI FICORA #341748 Discovered by Olli Jarva and Tuomo Untinen from the CROSS project at Codenomicon Ltd. Just like in CVE-2007-4567, we can't rely upon skb_dst() being non-NULL at this point. We fixed that in commit e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on skb->dst before it is assigned.") However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added net argument to IP6_INC_STATS_BH") put a new version of the same bug into this function. Complicating analysis further, this bug can only trigger when network namespaces are enabled in the build. When namespaces are turned off, the dev_net() does not evaluate it's argument, so the dereference would not occur. So, for a long time, namespaces couldn't be turned on unless SYSFS was disabled. Therefore, this code has largely been disabled except by people turning it on explicitly for namespace development. With help from Eugene Teo <eugene> Signed-off-by: David S. Miller <davem> CC: stable <stable> --- net/ipv6/exthdrs.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c index df159ff..4bac362 100644 --- a/net/ipv6/exthdrs.c +++ b/net/ipv6/exthdrs.c @@ -559,6 +559,11 @@ static inline struct inet6_dev *ipv6_skb_idev(struct sk_buff *skb) return skb_dst(skb) ? ip6_dst_idev(skb_dst(skb)) : __in6_dev_get(skb->dev); } +static inline struct net *ipv6_skb_net(struct sk_buff *skb) +{ + return skb_dst(skb) ? dev_net(skb_dst(skb)->dev) : dev_net(skb->dev); +} + /* Router Alert as of RFC 2711 */ static int ipv6_hop_ra(struct sk_buff *skb, int optoff) @@ -580,8 +585,8 @@ static int ipv6_hop_ra(struct sk_buff *skb, int optoff) static int ipv6_hop_jumbo(struct sk_buff *skb, int optoff) { const unsigned char *nh = skb_network_header(skb); + struct net *net = ipv6_skb_net(skb); u32 pkt_len; - struct net *net = dev_net(skb_dst(skb)->dev); if (nh[optoff + 1] != 4 || (optoff & 3) != 2) { LIMIT_NETDEBUG(KERN_DEBUG "ipv6_hop_jumbo: wrong jumbo opt length/alignment %d\n", -- 1.6.5
This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG as they did not have support for network namespaces, and did not include upstream commit 483a47d2 that introduced the problem. The kernel versions tested are: 1) Red Hat Enterprise Linux 3, 2.4.21-63.EL (not affected) 2) Red Hat Enterprise Linux 4, 2.6.9-89.0.19.EL (not affected) 3) Red Hat Enterprise Linux 5, 2.6.18-164.11.1.el5 (not affected) 4) Red Hat Enterprise MRG, 2.6.24.7-139.el5rt (not affected) Kernel updates for Fedora will be available soon.
Will be in the next stable push for F-12 via the stable 2.6.31.11 tree.
kernel-2.6.31.12-174.2.3.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/kernel-2.6.31.12-174.2.3.fc12
kernel-2.6.31.12-174.2.3.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
kernel-2.6.30.10-105.2.4.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.30.10-105.2.4.fc11
kernel-2.6.30.10-105.2.4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
I hit this issue on kernel-2.6.18-164.el5 (x86_64). This was on dell-pe2950-01.rhts.eng.bos.redhat.com running the stock kernel. The machine had been idle since booting. I got a crash dump. Here are the panic strings: eth0: no IPv6 routers present Unable to handle kernel NULL pointer dereference at 00000000000000d0 RIP: [<ffffffff883addc7>] :ipv6:ipv6_hop_jumbo+0x7d/0x1e8 PGD 70898067 PUD 70899067 PMD 0 Oops: 0000 [1] SMP last sysfs file: /devices/pci0000:00/0000:00:1c.0/0000:04:00.0/0000:05:00.0/irq CPU 0 Modules linked in: autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc ipv6 xfrm_nalgo crypto_api dm_multipath scsi_dh video hwmon backlight sbs i2c_ec i2c_core button battery asus_acpi acpi_memhotplug ac parport_pc lp parport joydev sr_mod pcspkr bnx2 sg floppy i5000_edac edac_mc serio_raw ide_cd cdrom dm_raid45 dm_message dm_region_hash dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod usb_storage ata_piix libata shpchp megaraid_sas sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd Pid: 0, comm: swapper Not tainted 2.6.18-164.el5 #1 RIP: 0010:[<ffffffff883addc7>] [<ffffffff883addc7>] :ipv6:ipv6_hop_jumbo+0x7d/0x1e8 RSP: 0018:ffffffff8043bc20 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff81006d17ca80 RCX: 0000000000000000 RDX: 000000000000002a RSI: 000000000000002a RDI: ffff81007ea89024 RBP: ffff81006d17ca80 R08: ffff8100794b7a50 R09: 0000000000000000 R10: ffff81006d17ca80 R11: 00000000000000c8 R12: 000000000000002a R13: 000000000000002a R14: 0000000000000006 R15: 0000000000000006 FS: 0000000000000000(0000) GS:ffffffff803c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 00000000000000d0 CR3: 00000000715e7000 CR4: 00000000000006e0 Process swapper (pid: 0, threadinfo ffffffff803f0000, task ffffffff802ffae0) Stack: ffffffff883e6e30 ffffffff883ada87 ffffffff883e6e20 ffff81006d17ca80 ffff81006d17cad8 ffff81007e0d6000 0000000000000001 ffff81007892dac0 ffff81007892c000 ffffffff883ae38f 000000000000003e ffffffff804eca60 Call Trace: <IRQ> [<ffffffff883ada87>] :ipv6:ip6_parse_tlv+0x9d/0x117 [<ffffffff883ae38f>] :ipv6:ipv6_parse_hopopts+0x8c/0xbd [<ffffffff8838f4a3>] :ipv6:ipv6_rcv+0x2a3/0x3f8 [<ffffffff80020807>] netif_receive_skb+0x3c9/0x3f5 [<ffffffff8824d81f>] :bnx2:bnx2_poll_work+0x10ee/0x1227 [<ffffffff8008b876>] __activate_task+0x56/0x6d [<ffffffff8014a179>] cfq_dispatch_requests+0xed/0x526 [<ffffffff8008a079>] sys32_ipc+0x79/0xf0 [<ffffffff80096383>] current_tick_length+0x5/0x26 [<ffffffff80096d98>] do_timer+0x2df/0x52c [<ffffffff8824dd0e>] :bnx2:bnx2_poll+0xdf/0x209 [<ffffffff8000c845>] net_rx_action+0xac/0x1e0 [<ffffffff8001235a>] __do_softirq+0x89/0x133 [<ffffffff8005e2fc>] call_softirq+0x1c/0x28 [<ffffffff8006cb14>] do_softirq+0x2c/0x85 [<ffffffff8006c99c>] do_IRQ+0xec/0xf5 [<ffffffff800571be>] mwait_idle+0x0/0x4a [<ffffffff8005d615>] ret_from_intr+0x0/0xa <EOI> [<ffffffff800571f4>] mwait_idle+0x36/0x4a [<ffffffff8004939e>] cpu_idle+0x95/0xb8 [<ffffffff803fb7fd>] start_kernel+0x220/0x225 [<ffffffff803fb22f>] _sinittext+0x22f/0x236 Code: 48 8b 80 d0 00 00 00 48 85 c0 74 1d 48 8b 80 a0 01 00 00 48 RIP [<ffffffff883addc7>] :ipv6:ipv6_hop_jumbo+0x7d/0x1e8 RSP <ffffffff8043bc20> crash> dis -l ipv6_hop_jumbo+0x7d include/net/ip6_fib.h: 94 0xffffffff883addc7 <ipv6_hop_jumbo+125>: mov 0xd0(%rax),%rax Let me know in the next few days if any additional information would be useful.
Patch available on the latest RHEL6 git tree.
(In reply to comment #8) > I hit this issue on kernel-2.6.18-164.el5 (x86_64). > > This was on dell-pe2950-01.rhts.eng.bos.redhat.com running the stock kernel. > The machine had been idle since booting. We don't need any additional information. This issue has been addressed in Red Hat Enterprise Linux 5 via RHSA-2010:0019. https://rhn.redhat.com/errata/RHSA-2010-0019.html. Thanks, Eugene
git describe --contains 2570a4f5428bcdb1077622342181755741e7fa60 v2.6.33-rc6~29^2~37 fixes this