Bugzilla – Bug 570608
VUL-1: CVE-2010-0006: kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo()
Last modified: 2018-11-15 13:32:47 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. Date: Thu, 14 Jan 2010 09:47:47 +0800 From: Eugene Teo <eugene@redhat.com> To: oss-security@lists.openwall.com Subject: [oss-security] CVE-2010-0006 - kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo() CC: "Steven M. Christey" <coley@linus.mitre.org> http://marc.info/?l=linux-netdev&m=126343325807340&w=2 This fixes CERT-FI FICORA #341748 Discovered by Olli Jarva and Tuomo Untinen from the CROSS project at Codenomicon Ltd. Just like in CVE-2007-4567, we can't rely upon skb_dst() being non-NULL at this point. We fixed that in commit e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on skb->dst before it is assigned.") However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added net argument to IP6_INC_STATS_BH") put a new version of the same bug into this function. Complicating analysis further, this bug can only trigger when network namespaces are enabled in the build. When namespaces are turned off, the dev_net() does not evaluate it's argument, so the dereference would not occur. So, for a long time, namespaces couldn't be turned on unless SYSFS was disabled. Therefore, this code has largely been disabled except by people turning it on explicitly for namespace development. With help from Eugene Teo <eugene@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> CC: stable <stable@kernel.org> Thanks, Eugene -- Eugene Teo / Red Hat Security Response Team
so affected: 11.2 moblin* sle11 sle11-sp1
- 11.2 and moblin2.1 will be getting the fix with an update to 2.6.31.12. Greg, are you going to do the update soon, or is it worth adding the patch separately? - I have no clue about how security bugs are handled in moblin -- is the MOBLIN_20_BRANCH supported in any way? Greg, do we need to apply the patch there? - sle11 is not affected (does not have CONFIG_NET_NS on) - sle11-sp1 will be getting the fix with an update to 2.6.31.4; as SP1 is not released yet, I don't think we need to hurry with the update
IPv6 is not supported in the Moblin 20 branch, so that's not an issue. I've updated all other branches already with the upstream -stable update, so this can be sent back to the security team.
Greg, config/i386/default has CONFIG_IPV6=y so it seems support in MOBLIN20_BRANCH. (As it is built in and enabled it definitely is supported.) I however do not plan to release a kernel update for Moblin unless absolutely necessary.
network namespaces are not enabled in the MOBLIN_20 branch, so this problem does not occur there. Oh crap, we do have network namespaces enabled in the MOBILN_20 branch. Heck, we have namespaces enabled there as well, which should not be turned on. Ick, I'll just go disable those options, which will solve the problem, especially as the patch does not apply well to the MOBLIN_20 branch. I'll go disable namespaces on the MOBLIN_21 branch also.
Ok, network namespaces are now disabled in the MOBLIN_20 branch, so all should be safe.
oki, thanks!