oss-sec mailing list archives
Re: CVE Request: kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 02 Jul 2013 12:34:16 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/02/2013 03:14 AM, Marcus Meissner wrote:
Hi, Also fresh in the mainline kernel and spotted by trinity: commit a963a37d384d71ad43b3e9e79d68d42fbe0901f3 Author: Eric Dumazet <edumazet () google com> Date: Wed Jun 26 04:15:07 2013 -0700 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones <davej () redhat com> Reported-by: Hannes Frederic Sowa <hannes () stressinduktion org> Signed-off-by: Eric Dumazet <edumazet () google com> Acked-by: Hannes Frederic Sowa <hannes () stressinduktion org> Signed-off-by: David S. Miller <davem () davemloft net> Can be triggered by non-root users according to Eric, so needs a CVE. Ciao, Marcus
Confirmed, locks up good. Please use CVE-2013-2232 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR0x0nAAoJEBYNRVNeJnmTOWoP/35zG1obrsUImHs3e1/GorYy 2sDC8W2fxHMWj0Fhk/V7xw6+um5S5/5e/l3ZqKGWENoilslI51wRY0qrvUr3dzzT yx5RubpSZQQyq7lD//bynl65JoZ7K+2tOUxpera7DW09vDQjgmpuYjsZJNbgpmLp rgCkWznBJwLpj83xzTjct0ALoEX9GJ5T1niF42BLEyRCkrCSpAiP4ja2b7cKvX/p n2W7sNLTkVm+0c8tDDPmvSPJeWEknZEB7iOz+gN2lLNNv6Ji5QdNw0hTc8sPextG whMMQrhe6ToUFfYvMFqWIZY2Gm39MRtswhcQgra1Bi7+LQ41naRKQ++1GRJba96J VDz8aE31/GRoWLZKkDfbLHI9AXnGyhsQdLsGq0s3TmyoeahINC6msGyoaYn7mkQ6 XK9W5ejqS/QNzjhy2Q1Rm7x3Qcc2wWSBHZr8qfFtYAMhrEdOwupxC+BLHvJ4XxO3 jVqe6hQtzVc72wIM8ais1iJP8c1rAtM4ELl5jgrGsgV8XsRAnYYGtEqPUQ9Lawte IMg8yxlOBifGKT92IZvcoC1gyG527Z4+2uoNd26ajeXiCsIwzZ9/pbv3rCSdq81n 15Gr7tuRH0I9LT8/EfI5Xjm6JYDiEGe+zQMZXt+fww8Kn9xTprp2M6DOrZIo13O4 FtHIDJKazPNatsXRacq0 =6I6r -----END PGP SIGNATURE-----
Current thread:
- CVE Request: kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg Marcus Meissner (Jul 02)
- Re: CVE Request: kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg Kurt Seifried (Jul 02)