Description of problem: The server side sets IPV6_RECVPKTINFO on a listening socket, and the client side just sends a message to the server. Then the kernel panic occurs on the server. This problem happens because a skb is forcibly freed in tcp_rcv_state_process(). When a socket in listening state(TCP_LISTEN) receives a syn packet, then tcp_v6_conn_request() will be called from tcp_rcv_state_process(). If the tcp_v6_conn_request() successfully returns, the skb would be discarded by __kfree_skb(). However, in case of a listening socket which was already set IPV6_RECVPKTINFO, an address of the skb will be stored in treq->pktopts and a ref count of the skb will be incremented in tcp_v6_conn_request(). But, even if the skb is still in use, the skb will be freed. Then someone still using the freed skb will cause the kernel panic. Upstream commit: http://git.kernel.org/linus/fb7e2399ec17f1004c0e0ccfd17439f8759ede01
Hi, Does this affect RHEL 5? Thanks!
Does disabling ipv6 mitigate this vulnerability?
(In reply to comment #3) > Hi, > > Does this affect RHEL 5? Hi Kirk, We have released an update for Red Hat Enterprise Linux 5. https://rhn.redhat.com/errata/RHSA-2010-0178.html. Thanks, Eugene
(In reply to comment #4) > Does disabling ipv6 mitigate this vulnerability? Yes.
This issue has been addressed in following products: Red Hat Enterprise Linux 5.4.Z - Server Only Via RHSA-2010:0380 https://rhn.redhat.com/errata/RHSA-2010-0380.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0394 https://rhn.redhat.com/errata/RHSA-2010-0394.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4.7 Z Stream Via RHSA-2010:0424 https://rhn.redhat.com/errata/RHSA-2010-0424.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5.3.Z - Server Only Via RHSA-2010:0439 https://rhn.redhat.com/errata/RHSA-2010-0439.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Extended Lifecycle Support Via RHSA-2010:0882 https://rhn.redhat.com/errata/RHSA-2010-0882.html