116486 – Kernel: various Local DoS (CVE-2005-{3808,3848,3857,3858})

Bug 116486 - Kernel: various Local DoS (CVE-2005-{3808,3848,3857,3858})

Summary: Kernel: various Local DoS (CVE-2005-{3808,3848,3857,3858})

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:
Whiteboard:	[linux < 2.6.14.4]
Keywords:

Duplicates (1):	114230 (view as bug list)
Depends on:
Blocks:

Reported:	2005-12-23 05:42 UTC by Thierry Carrez (RETIRED)
Modified:	2009-05-03 15:56 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-12-23 05:42:04 UTC

From Ubuntu's USN-231-1

An integer overflow was discovered in the
invalidate_inode_pages2_range() function. By issuing 64-bit mmap calls
on a 32 bit system, a local user could exploit this to crash the
machine, thereby causing Denial of Service. This flaw does not affect
the amd64 platform, and does only affect Ubuntu 5.10. (CVE-2005-3808)

Ollie Wild discovered a memory leak in the icmp_push_reply() function.
By sending a large amount of specially crafted packets, a remote
attacker could exploit this to drain all memory, which eventually
leads to a Denial of Service. (CVE-2005-3848)

Chris Wrigth found a Denial of Service vulnerability in the
time_out_leases() function. By allocating a large number of VFS file
lock leases and having them timeout at the same time, a large number
of 'printk' debugging statements was generated at the same time, which
could exhaust kernel memory. (CVE-2005-3857)

Patrick McHardy discovered a memory leak in the ip6_input_finish()
function. A remote attacker could exploit this by sending specially
crafted IPv6 packets, which would eventually drain all available
kernel memory, thus causing a Denial of Service. (CVE-2005-3858)

Comment 1 Tim Yamin (RETIRED) gentoo-dev

2005-12-23 17:24:44 UTC

Patches:

invalidate_inode_pages2_range issue: http://www.kernel.org/hg/linux-2.6/?cs=6d5ffbb49406

icmp_push_reply issue: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=cb94c62c252796f42bb83fe40960d12f3ea5a82a;hp=22783649568a28839c5a362f47da7819ecfcbb9f

time_out_leases: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7ed0175a462c4c30f6df6fac1cccac058f997739

CVE-2005-3858 affects < 2.6.13; patch:
http://marc.theaimsgroup.com/?l=linux-kernel&m=112508479120081&w=2

Comment 2 Tim Yamin (RETIRED) gentoo-dev

2006-01-02 16:11:42 UTC

invalidate_inode_pages2_range issue: 2.6.14.4
icmp_push_reply issue: 2.6.14
time_out_leases: 2.6.14.3

Comment 3 Tim Yamin (RETIRED) gentoo-dev

2006-01-02 16:23:08 UTC

Adding maintainers:

ck-sources: marineam
hppa-sources: GMSoft
mips-sources-2.6.13: Kumba
rsbac-sources: kang
sh-sources: sh herd
xbox-sources: gimli

Comment 4 SpanKY gentoo-dev

2006-01-02 16:25:12 UTC

feel free to update sh-sources as you wish ... just grab me if the mega sh patch stops applying after you do

Comment 5 Micheal Marineau (RETIRED) gentoo-dev

2006-01-05 12:09:19 UTC

ck-sources already includes 2.6.14.5

Comment 6 Guy Martin (RETIRED) gentoo-dev

2006-01-07 03:11:02 UTC

Fixed on hppa in hppa-sources-2.6.15_p1.

Comment 7 Tim Yamin (RETIRED) gentoo-dev

2006-01-15 06:40:44 UTC

*** Bug 114230 has been marked as a duplicate of this bug. ***

Comment 8 Tim Yamin (RETIRED) gentoo-dev

2006-04-15 12:02:58 UTC

All fixed now, resolving bug.