Linux kernel is found to be vulnerable to a denial of service and/or possible code execution flaw caused by invalid free while sending message with sendmsg(2) call with IP_RETOPTS socket option set. This option is set to pass unprocessed IP options along with timestamps to a user via IP_OPTIONS control message. An unprivileged user/program could use this flaw to crash the system resulting in DoS or possibly gain root privileges via arbitrary code execution. Reference: ---------- -> http://www.openwall.com/lists/oss-security/2013/06/30/1 This issue was introduced via Red Hat Enterprise Linux specific patch for CVE-2012-3552.
Statement: This issue did not affect the version of the kernel package as shipped with Red Hat Enterprise MRG 2. This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. Future kernel updates for Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 may address this issue.
Created attachment 767318 [details] Proposed patch Looks to me like rhel only bug introduced by fixes for CVE-2012-3552 -- we are kfree()ing kzalloc_ip_options() alloced opts. I'm brewing rhel-6 kernel with attached patch to test that. Jiri, could you please have a quick look at the issue?
Created attachment 767364 [details] RHEL-fix-freeing-RCU-protected-IP-options Bug was introduced in backport of mainline commit: f6d8bd051c391c1c0458a30b2a7abcd939329259 (inet: add RCU protection to inet->opt) This patch calls right freeing method from all ip_cmsg_send() callers. Struct ip_options is embedded into struct ip_options_rcu, so kfree should be called for right offset, otherwise it will poison slab with misaligned objects. These misaligned objects may intersect and corrupt each other.
Hi Konstantin, (In reply to Kontantin Khlebnikov from comment #3) > Created attachment 767364 [details] > RHEL-fix-freeing-RCU-protected-IP-options > > Bug was introduced in backport of mainline commit: > f6d8bd051c391c1c0458a30b2a7abcd939329259 (inet: add RCU protection to > inet->opt) thank you for your submission. I am currently building kernel with patch from comment #2 (the same as yours) and will report back with the testing results. Thanks, -- Petr Matousek / Red Hat Security Response Team
Patch from comment #2 looks good to me.
(In reply to Petr Matousek from comment #4) ... > thank you for your submission. I am currently building kernel with patch > from comment #2 (the same as yours) and will report back with the testing The proposed patch indeed fixes the issue in question.
The patch appears to work good on our end too!
CentOS has produced the following kernel that addresses this issue as an interim (use at your own risk) kernel for EL6: http://people.centos.org/hughesjr/c6kernel/2.6.32-358.11.1.el6.cve20132224/ It applies the patch in comment #3 above to the current CentOS kernel.
CentOS has produced another kernel that addresses this issue with the newer 2.6.32-358.14.1.el6 kernel: http://people.centos.org/hughesjr/c6kernel/2.6.32-358.14.1.el6.cve20132224/ It also is just the standard kernel and the one patch in comment #3
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1166 https://rhn.redhat.com/errata/RHSA-2013-1166.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1173 https://rhn.redhat.com/errata/RHSA-2013-1173.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1195 https://rhn.redhat.com/errata/RHSA-2013-1195.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only Via RHSA-2013:1450 https://rhn.redhat.com/errata/RHSA-2013-1450.html