| Summary: | Kernel: Remote denial of service in isdn_ppp (CVE-2006-5749) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Kernel | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.34 | ||
| Whiteboard: | [linux <2.4.34] | ||
| Package list: | Runtime testing required: | --- | |
Locking as Gentoo Security until I get confirmation from two Security Devs. Public since ages... |
the function isdn_ppp_ccp_reset_alloc_state() in drivers/isdn/i4l/isdn_ppp.c (after kmalloc() + memset to 0) sets ->timer.function and ->timer.data later on calls add_timer() with no init_timer() ever done and that's an instant death. The first thing add_timer() does is for (;;) { base = timer->base; if (likely(base != NULL)) { spin_lock_irqsave(&base->lock, *flags); if (likely(base == timer->base)) return base; /* The timer has migrated to another CPU */ spin_unlock_irqrestore(&base->lock, *flags); } cpu_relax(); } and timer->base is what init_timer() sets if it's left NULL, well... The add_timer() in this case is called on decompression errors.