oss-sec mailing list archives
CVE Request: kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg
From: Marcus Meissner <meissner () suse de>
Date: Tue, 2 Jul 2013 11:14:40 +0200
Hi, Also fresh in the mainline kernel and spotted by trinity: commit a963a37d384d71ad43b3e9e79d68d42fbe0901f3 Author: Eric Dumazet <edumazet () google com> Date: Wed Jun 26 04:15:07 2013 -0700 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones <davej () redhat com> Reported-by: Hannes Frederic Sowa <hannes () stressinduktion org> Signed-off-by: Eric Dumazet <edumazet () google com> Acked-by: Hannes Frederic Sowa <hannes () stressinduktion org> Signed-off-by: David S. Miller <davem () davemloft net> Can be triggered by non-root users according to Eric, so needs a CVE. Ciao, Marcus
Current thread:
- CVE Request: kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg Marcus Meissner (Jul 02)
- Re: CVE Request: kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg Kurt Seifried (Jul 02)