CVE-2008-3686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3686): The rt6_fill_node function in Linux kernel 2.6.26-rc4, 2.6.26.2, and possibly other 2.6.26 versions, allows local users to cause a denial of service (kernel OOPS) via IPv6 requests when no IPv6 input device is in use, which triggers a NULL pointer dereference.
Patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5e0115e500fe9dd2ca11e6f92db9123204f1327a
Added <2.6.26.2 to version scope in status whiteboard as the aformentioned patch was added in 2.6.26.3. It could be that versions <2.6.26 are affected also but I haven't checked. PS: Anything using >=genpatches-2.6.26-3 is unaffected
I beg your pardon, the previous comment should have begun with "Added <2.6.26.3 to version scope ..."
I needed to be sure that our 2.6.25 kernel wasn't affected so I took a closer look. In 2.6.26, the offending line of code is as follows: > if (ipv6_dev_get_saddr(ip6_dst_idev(&rt->u.dst)->dev, dst, 0, &saddr_buf) == 0) The problem being that the dst entry may be NULL and that there is no prior check for that eventuality. In 2.6.25, it looks like this: > if (ipv6_get_saddr(&rt->u.dst, dst, &saddr_buf) == 0) The arguments used by the ipv6_get_saddr() function are different; it doesn't require a net struct pointer as the first argument. Therefore, ip6_dst_idev() is not used here at all, which is where the dereference would otherwise have occurred (but it's an inline function, hence the finger being pointed in the direction of wherever it's employed). Removing hardened-kernel under the presumption that the above isn't complete and utter nonsense.
