Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 158809 (CVE-2006-5749) - Kernel: Remote denial of service in isdn_ppp (CVE-2006-5749)
Summary: Kernel: Remote denial of service in isdn_ppp (CVE-2006-5749)
Status: RESOLVED FIXED
Alias: CVE-2006-5749
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://kernel.org/pub/linux/kernel/v2...
Whiteboard: [linux <2.4.34]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-12-22 01:06 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2013-09-05 03:21 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-22 01:06:05 UTC
the function isdn_ppp_ccp_reset_alloc_state() in 
drivers/isdn/i4l/isdn_ppp.c (after kmalloc() + memset to 0) sets 
->timer.function and ->timer.data later on calls add_timer() with no 
init_timer() ever done and that's an instant death.

The first thing add_timer() does is

         for (;;) {
                 base = timer->base;
                 if (likely(base != NULL)) {
                         spin_lock_irqsave(&base->lock, *flags);
                         if (likely(base == timer->base))
                                 return base;
                         /* The timer has migrated to another CPU */
                         spin_unlock_irqrestore(&base->lock, *flags);
                 }
                 cpu_relax();
         }

and timer->base is what init_timer() sets if it's left NULL, well...

The add_timer() in this case is called on decompression errors.
Comment 1 Harlan Lieberman-Berg (RETIRED) gentoo-dev 2006-12-26 19:38:52 UTC
Locking as Gentoo Security until I get confirmation from two Security Devs.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-19 21:01:34 UTC
Public since ages...