Bugzilla – Bug 490608
VUL-0: kernel: af_rose/x25: Sanity check the maximum user frame size
Last modified: 2010-11-16 00:56:40 UTC
Reply-To: oss-security@lists.openwall.com Date: Wed, 08 Apr 2009 15:58:55 +0800 From: Eugene Teo <eugene@redhat.com> User-Agent: Thunderbird 2.0.0.21 (X11/20090320) To: oss-security@lists.openwall.com Cc: Willy Tarreau <w@1wt.eu> Subject: [oss-security] CVE-2009-1265 kernel: af_rose/x25: Sanity check the maximum user frame size {nr,rose,x25}_sendmsg() functions need to have sanity checks on the packet size, otherwise the sizes can wrap and end up sending garbage. http://bugzilla.kernel.org/show_bug.cgi?id=10423 http://git.kernel.org/linus/83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1265 This affects both 2.4.x and 2.6.x if CONFIG_{NETROM,ROSE,X25} are enabled. Thanks, Eugene -- Eugene Teo, RHCA, RHCSS / Red Hat Security Response Team
needs to be fixed in next update round
*** Bug 496610 has been marked as a duplicate of this bug. ***
I'm on it.
Created attachment 287366 [details] af_rose/x25: Sanity check the maximum user frame size For reference, here is the patch I used for SLES10 SP2. For other kernel branches the fix is the same, modulo some offset.
Fix committed to kernel branches SLES9_SP3, SLES9_SP4, SLES10_SP1, SLES10_SP2, SLES10_SP3, SLE11, SL103 and SL110.
Hm, is our patch sufficient? Reply-To: oss-security@lists.openwall.com Date: Thu, 23 Apr 2009 14:54:06 +0800 From: Eugene Teo <eugene@redhat.com> User-Agent: Thunderbird 2.0.0.21 (X11/20090320) To: oss-security@lists.openwall.com Cc: Willy Tarreau <w@1wt.eu> Subject: Re: [oss-security] Re: CVE-2009-1265 kernel: af_rose/x25: Sanity check the maximum user frame size Willy Tarreau wrote: > Hi Eugene, > > On Wed, Apr 08, 2009 at 03:58:55PM +0800, Eugene Teo wrote: >> {nr,rose,x25}_sendmsg() functions need to have sanity checks on the >> packet size, otherwise the sizes can wrap and end up sending garbage. >> >> http://bugzilla.kernel.org/show_bug.cgi?id=10423 >> http://git.kernel.org/linus/83e0bbcbe2145f160fbaa109b0439dae7f4a38a9 >> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1265 >> >> This affects both 2.4.x and 2.6.x if CONFIG_{NETROM,ROSE,X25} are enabled. > > I already have it in my queue, just did not have time to merge it yet. > Thanks for the reminder anyway, I really appreciate it ;-) You will need this too :) upstream commit: cc29c70dd581f85ee7a3e7980fb031f90b90a2ab Patch "af_rose/x25: Sanity check the maximum user frame size" (commit 83e0bbcbe2145f160fbaa109b0439dae7f4a38a9) from Alan Cox got locking wrong. If we bail out due to user frame size being too large, we must unlock the socket beforehand. Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
Thomas, the additional fix is from myself, so I am pretty well aware of it ;) I found the problem while backporting the original fix to our kernel, and reported it upstream.
Haha, thanks!
I don't know if you can readily answer this, but I have a customer who has a question on this security vulnerability and the z-series. Specifically they have asked: ************** Are the modules referenced by CVE-2009-1265 compiled into the kernels that Novell builds for use on IBM System z hardware? This CVE identifies integer overflow vulnerabilities in three Linux kernel source modules: /usr/src/linux/net/netrom/af_netrom.c /usr/src/linux/net/rose/af_rose.c /usr/src/linux/net/x25/af_x25.c They are running both SLES 9 and SLES 10 on IBM system z. Their security staff wants to know if they are running at risk. They didn't see any corresponding object/module files(ie *.ko) for these sources in the /lib/modules directory tree. So, I'm wondering if it is possible that these sources get built into some other module(s). If these sources have been compiled, what would the output file names be? *************** Thank you for anything you can tell me.
Jeff, the IBM system Z running SLES 9 or 10 are not affected by this security vulnerability. af_rose and af_netrom aren't even supported on S/390. af_x25 is, but we did not enable it in the SLES kernels. For reference, here are the paths to the affected kernel modules: /lib/modules/*/kernel/net/netrom/netrom.ko /lib/modules/*/kernel/net/rose/rose.ko /lib/modules/*/kernel/net/x25/x25.ko But you won't find these in our s390 distributions. So your customer is safe :)
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP2 (ppc) SLE-SDK 10-SP2 (ppc) SLE-SERVER 10-SP2 (ppc)
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo Products: SLE-DEBUGINFO 10-SP2 (i386) SLE-DESKTOP 10-SP2 (i386) SLE-SDK 10-SP2 (i386) SLE-SERVER 10-SP2 (i386)
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP2 (ia64) SLE-SDK 10-SP2 (ia64) SLE-SERVER 10-SP2 (ia64)
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms Products: SLE-DEBUGINFO 10-SP2 (s390x) SLE-SERVER 10-SP2 (s390x)
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo Products: SLE-DEBUGINFO 10-SP2 (x86_64) SLE-DESKTOP 10-SP2 (x86_64) SLE-SDK 10-SP2 (x86_64) SLE-SERVER 10-SP2 (x86_64)
This bug was fixed/mentioned in the kernel that was released on May 22 for SLES/SLED 10 SP2, the released kernel version is 2.6.16.60-0.39.3.
Update released for: kernel-bigsmp, kernel-debug, kernel-default, kernel-kdump, kernel-ppc64, kernel-rt, kernel-rt_debug, kernel-source, kernel-syms, kernel-xen, kernel-xenpae Products: openSUSE 10.3 (i386, ppc, x86_64)
Update released for: acerhk-kmp-debug, acx-kmp-debug, appleir-kmp-debug, at76_usb-kmp-debug, atl2-kmp-debug, aufs-kmp-debug, dazuko-kmp-debug, drbd-kmp-debug, gspcav-kmp-debug, iscsitarget-kmp-debug, ivtv-kmp-debug, kernel-debug, kernel-default, kernel-docs, kernel-kdump, kernel-pae, kernel-ppc64, kernel-ps3, kernel-source, kernel-syms, kernel-vanilla, kernel-xen, kqemu-kmp-debug, nouveau-kmp-debug, omnibook-kmp-debug, pcc-acpi-kmp-debug, pcfclock-kmp-debug, tpctl-kmp-debug, uvcvideo-kmp-debug, virtualbox-ose-kmp-debug, vmware-kmp-debug, wlan-ng-kmp-debug Products: openSUSE 11.0 (debug, i386, ppc, x86_64)
Update released for: aufs-kmp-debug, aufs-kmp-trace, brocade-bfa-kmp-debug, brocade-bfa-kmp-trace, dazuko-kmp-debug, dazuko-kmp-trace, drbd-kmp-debug, drbd-kmp-trace, intel-iamt-heci-kmp-debug, intel-iamt-heci-kmp-trace, iscsitarget-kmp-debug, iscsitarget-kmp-trace, kernel-debug, kernel-debug-base, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-extra, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-docs, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-extra, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-extra, kernel-ps3, kernel-ps3-debuginfo, kernel-ps3-debugsource, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-extra, kernel-vanilla, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra, kqemu-kmp-debug, kqemu-kmp-trace, kvm-kmp-trace, lirc-kmp-trace, ofed-kmp-debug, ofed-kmp-trace, oracleasm-kmp-debug, oracleasm-kmp-trace, pcfclock-kmp-debug, pcfclock-kmp-trace, virtualbox-ose-kmp-debug, virtualbox-ose-kmp-trace, vmware-kmp-debug, vmware-kmp-trace Products: openSUSE 11.1 (debug, i586, ppc, x86_64)
in all branches, released or currently in qa
A kernel update for SLE(S/D) 11 has just been released that mentions/fixes this bug. The kernel version of this update is 2.6.27.23-0.1.1.
Update released for: cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra, ocfs2-kmp-default, ocfs2-kmp-xen Products: SLE-DEBUGINFO 11 (x86_64) SLE-DESKTOP 11 (x86_64) SLE-HAE 11 (x86_64) SLE-SERVER 11 (x86_64)
This bug was mentioned / fixed in the currently released SLES 9 maintenance kernel update with version 2.6.5-7.317.
Update released for: kernel-bigsmp, kernel-bigsmp-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, kernel-um, kernel-um-debug, kernel-xen, kernel-xen-debug, kernel-xenpae, kernel-xenpae-debug, um-host-install-initrd, um-host-kernel Products: Novell-Linux-Desktop 9 (i386) Open-Enterprise-Server 9 (i386)
Update released for: kernel-64k-pagesize, kernel-64k-pagesize-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-sn2, kernel-sn2-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh Products: SUSE-CORE 9 (ia64)
Update released for: kernel-default, kernel-default-debug, kernel-iseries64, kernel-iseries64-debug, kernel-pmac64, kernel-pmac64-debug, kernel-pseries64, kernel-pseries64-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh Products: SUSE-CORE 9 (ppc)
Update released for: kernel-s390x, kernel-s390x-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh Products: SUSE-CORE 9 (s390x)
Starting L3 for teradata backport
Patch scheduled for the next teradata rollup kernel (bug 426350 comment 111) L3 and bug can be closed
Patch scheduled also for next sles10sp1 teradata rollup (bug 434477 comment 78)
A SLERT 10 SP2 kernel update was just released with this bug referenced, version 2.6.22.19-0.22.
Update released for: ib-bonding-kmp-rt, ib-bonding-kmp-rt_bigsmp, ib-bonding-kmp-rt_debug, ib-bonding-kmp-rt_timing, kernel-rt, kernel-rt_bigsmp, kernel-rt_debug, kernel-rt_timing, kernel-source, kernel-syms, ofed, ofed-cxgb3-NIC-kmp-rt, ofed-cxgb3-NIC-kmp-rt_bigsmp, ofed-cxgb3-NIC-kmp-rt_debug, ofed-cxgb3-NIC-kmp-rt_timing, ofed-doc, ofed-kmp-rt, ofed-kmp-rt_bigsmp, ofed-kmp-rt_debug, ofed-kmp-rt_timing Products: SLE-RT 10-SP2 (i386, x86_64)
CVE-2009-1265: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)