Bug 116486 - Kernel: various Local DoS (CVE-2005-{3808,3848,3857,3858})
Bug#: 116486 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: koon@gentoo.org
Component: Kernel
URL: 
Summary: Kernel: various Local DoS (CVE-2005-{3808,3848,3857,3858})
Keywords:  
Status Whiteboard: [linux < 2.6.14.4]
Opened: 2005-12-23 05:42 0000
Description:   Opened: 2005-12-23 05:42 0000 
From Ubuntu's USN-231-1

An integer overflow was discovered in the
invalidate_inode_pages2_range() function. By issuing 64-bit mmap calls
on a 32 bit system, a local user could exploit this to crash the
machine, thereby causing Denial of Service. This flaw does not affect
the amd64 platform, and does only affect Ubuntu 5.10. (CVE-2005-3808)

Ollie Wild discovered a memory leak in the icmp_push_reply() function.
By sending a large amount of specially crafted packets, a remote
attacker could exploit this to drain all memory, which eventually
leads to a Denial of Service. (CVE-2005-3848)

Chris Wrigth found a Denial of Service vulnerability in the
time_out_leases() function. By allocating a large number of VFS file
lock leases and having them timeout at the same time, a large number
of 'printk' debugging statements was generated at the same time, which
could exhaust kernel memory. (CVE-2005-3857)

Patrick McHardy discovered a memory leak in the ip6_input_finish()
function. A remote attacker could exploit this by sending specially
crafted IPv6 packets, which would eventually drain all available
kernel memory, thus causing a Denial of Service. (CVE-2005-3858)

------- Comment #1 From Tim Yamin (RETIRED) 2005-12-23 17:24:44 0000 ------- 
Patches:

invalidate_inode_pages2_range issue:
http://www.kernel.org/hg/linux-2.6/?cs=6d5ffbb49406

icmp_push_reply issue:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=cb94c62c252796f42bb83fe40960d12f3ea5a82a;hp=22783649568a28839c5a362f47da7819ecfcbb9f

time_out_leases:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7ed0175a462c4c30f6df6fac1cccac058f997739

CVE-2005-3858 affects < 2.6.13; patch:
http://marc.theaimsgroup.com/?l=linux-kernel&m=112508479120081&w=2

------- Comment #2 From Tim Yamin (RETIRED) 2006-01-02 16:11:42 0000 ------- 
invalidate_inode_pages2_range issue: 2.6.14.4
icmp_push_reply issue: 2.6.14
time_out_leases: 2.6.14.3

------- Comment #3 From Tim Yamin (RETIRED) 2006-01-02 16:23:08 0000 ------- 
Adding maintainers:

ck-sources: marineam
hppa-sources: GMSoft
mips-sources-2.6.13: Kumba
rsbac-sources: kang
sh-sources: sh herd
xbox-sources: gimli

------- Comment #4 From SpanKY 2006-01-02 16:25:12 0000 ------- 
feel free to update sh-sources as you wish ... just grab me if the mega sh
patch stops applying after you do

------- Comment #5 From Micheal Marineau 2006-01-05 12:09:19 0000 ------- 
ck-sources already includes 2.6.14.5

------- Comment #6 From Guy Martin 2006-01-07 03:11:02 0000 ------- 
Fixed on hppa in hppa-sources-2.6.15_p1.

------- Comment #7 From Tim Yamin (RETIRED) 2006-01-15 06:40:44 0000 ------- 
*** Bug 114230 has been marked as a duplicate of this bug. ***

------- Comment #8 From Tim Yamin (RETIRED) 2006-04-15 12:02:58 0000 ------- 
All fixed now, resolving bug.