oss-sec mailing list archives
Re: CVE-2012-5532 hypervkvpd DoS
From: Sebastian Krahmer <krahmer () suse de>
Date: Wed, 28 Nov 2012 09:08:20 +0100
Hi, Indeed. CVE-2012-2669 was actually a fix from us, but it turns out that it was too strict. Exiting makes indeed no sense. :/ Sebastian On Tue, Nov 27, 2012 at 02:32:22PM -0700, Vincent Danen wrote:
* [2012-11-27 11:55:35 -0700] Vincent Danen wrote:* [2012-11-27 11:21:03 -0700] Vincent Danen wrote:Just a heads-up on a flaw that was found: Florian Weimer of the Red Hat Product Security Team discovered that hypervkvpd would exit when it processed a spoofed Netlink packet that had been sent from an untrusted local user, in the following code: len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0, addr_p, &addr_l); if (len < 0 || addr.nl_pid) { syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s", addr.nl_pid, errno, strerror(errno)); close(fd); return -1; } This has been corrected upstream already. References: https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=commit;h=95a69adab9acfc3981c504737a2b6578e4d846ef https://bugzilla.redhat.com/show_bug.cgi?id=877572Ooops. This is a bit embarrassing. This is actually CVE-2012-2669. Please reject CVE-2012-5532 as a duplicate of CVE-2012-2669. Thanks.Wow, ok, this is a little convoluted. These actually are not the same thing. The old fix is here (so this would be CVE-2012-2669): https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=blobdiff;f=tools/hv/hv_kvp_daemon.c;h=d9834b36294373f88d29731350ccc9d384b41788;hp=146fd6147e84be5cde2a66009f331f1b6ee2b805;hb=bcc2c9c3fff859e0eb019fe6fec26f9b8eba795c;hpb=cfaf025112d3856637ff34a767ef785ef5cf2ca9 This, however, while detecting the spoofed netlink packet would still cause the daemon to exit. I'm not sure whether or not it actually fixed anything. This fix: https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=blobdiff;f=tools/hv/hv_kvp_daemon.c;h=c1d910243d49abe6012595d50227648873994ed8;hp=13c2a142331defeb539e40b9fe4d942f66c3aa4a;hb=95a69adab9acfc3981c504737a2b6578e4d846ef;hpb=aeba4a06f28fad11b1e61d150bd3cde3008b80c8 fixes the previous commit so that now the daemon no longer exits on these bad packets. This would be CVE-2012-5532. So CVE-2012-2669 is for "failing to check origin of netlink messages" and CVE-2012-5532 is for the "exiting upon receipt of spoofed netlink messages" (or something to that effect anyways). My apologies for the noise. -- Vincent Danen / Red Hat Security Response Team
-- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team
Current thread:
- CVE-2012-5532 hypervkvpd DoS Vincent Danen (Nov 27)
- Re: CVE-2012-5532 hypervkvpd DoS Vincent Danen (Nov 27)
- Re: CVE-2012-5532 hypervkvpd DoS Vincent Danen (Nov 27)
- Re: CVE-2012-5532 hypervkvpd DoS Sebastian Krahmer (Nov 28)
- Re: CVE-2012-5532 hypervkvpd DoS Vincent Danen (Nov 27)
- Re: CVE-2012-5532 hypervkvpd DoS Vincent Danen (Nov 27)