Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 133465

Summary: Kernel: netfilter do_add_counters race (CVE-2006-0039)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: agriffis, chrb, gimli, johnm, kang
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=893acf3cd9ad9df7ccb582c009c3759abede330b
Whiteboard: [linux <2.6.16.17]
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 03:15:34 UTC 
Not sure wether we already fixed this one or was unaffected. Filing to be sure:

Solar Designer found a race condition in do_add_counters(). The beginning of
paddc is supposed to be the same as tmp which was sanity-checked above, but it
might not be the same in reality. In case the integer overflow and/or the race
condition are triggered, paddc->num_counters might not match the allocation size
for paddc. If the check below (t->private->number != paddc->num_counters)
nevertheless passes (perhaps this requires the race condition to be triggered),
IPT_ENTRY_ITERATE() would read kernel memory beyond the allocation size,
potentially leaking sensitive data (e.g., passwords from host system or from
another VPS) via counter increments.
Comment 1 Tim Yamin (RETIRED) gentoo-dev 2006-05-19 07:02:08 UTC 
Dan, please add this patch to genpatches, thanks:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698
Comment 2 Tim Yamin (RETIRED) gentoo-dev 2006-05-19 07:03:03 UTC 
Patch URL: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=129163
Comment 3 Daniel Drake (RETIRED) gentoo-dev 2006-05-21 08:47:53 UTC 
Fixed in genpatches-2.6.16-10 (gentoo-sources-2.6.16-r8)

P.S. The patch you linked to is not the complete fix
Comment 4 Tim Yamin (RETIRED) gentoo-dev 2006-05-26 08:17:36 UTC 
2.6.16.17 has the full fix along with some more SCTP goodies.
Comment 5 Tim Yamin (RETIRED) gentoo-dev 2006-05-26 08:40:35 UTC 
Maintainers please bump to genpatches-2.6.16-10 or 2.6.16.18:

hardened-sources-2.6: johnm, hardened herd
hppa-sources-2.6: GMSoft
rsbac-sources-2.6: kang
sh-sources-2.6: vapier
suspend2-sources-2.6: brix
usermode-sources-2.6: dang
xbox-sources-2.6: chrb, gimli
xen-sources-2.6: chrb, agriffis
Comment 6 Guy Martin (RETIRED) gentoo-dev 2006-05-26 09:05:39 UTC 
hppa-sources-2.6.16.18-pa11 in the tree.
Comment 7 Henrik Brix Andersen 2006-05-26 13:56:21 UTC 
Fixed in sys-kernel/suspend2-sources-2.6.16-r7.
Comment 8 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-05-28 20:11:39 UTC 
usermode bumped to 2.6.16-r1
Comment 9 Tim Yamin (RETIRED) gentoo-dev 2006-06-24 11:50:39 UTC 
All fixed, closing. vapier please bump sh-sources.