SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

linux kernel and intel e1000: ipv6 skb_dst() can be NULL in ipv6_hop_jumbo()


Arrow  SecurityAlert : 6976
Arrow  CVE : CVE-2010-0006
Arrow  CWE : CWE-20
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Victim interaction required : No
Arrow  Exploit Available : No
Arrow  Credit : David Miller
Arrow  Published : 28.01.2010

Arrow  Affected Software : linux:kernel:2.6.24.7
linux:kernel:2.6.25.15
intel:e1000:7.4.27
intel:e1000:7.4.35 and previous versions
intel:e1000:7.3.20
intel:e1000:7.3.15
intel:e1000:7.2.9
intel:e1000:7.2.7
intel:e1000:7.1.9
intel:e1000:7.0.41
intel:e1000:7.0.33
intel:e1000:6.3.9
intel:e1000:6.2.15
intel:e1000:6.1.16
intel:e1000:6.0.60
intel:e1000:6.0.54
intel:e1000:5.7.6
intel:e1000:5.6.10
intel:e1000:5.6.10.1
intel:e1000:5.5.4
intel:e1000:5.4.11
intel:e1000:5.3.19
intel:e1000:5.2.52
intel:e1000:5.2.30.1
intel:e1000:5.2.22



Arrow  Advisory Content :  



This fixes CERT-FI FICORA #341748

Discovered by Olli Jarva and Tuomo Untinen from the CROSS
project at Codenomicon Ltd.

Just like in CVE-2007-4567, we can't rely upon skb_dst() being
non-NULL at this point. We fixed that in commit
e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on
skb->dst before it is assigned.")

However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added
net argument to IP6_INC_STATS_BH") put a new version of the same bug
into this function.

Complicating analysis further, this bug can only trigger when network
namespaces are enabled in the build. When namespaces are turned off,
the dev_net() does not evaluate it's argument, so the dereference
would not occur.

So, for a long time, namespaces couldn't be turned on unless SYSFS was
disabled. Therefore, this code has largely been disabled except by
people turning it on explicitly for namespace development.

With help from Eugene Teo <eugene@redhat.com>

Signed-off-by: David S. Miller <davem@davemloft.net>
CC: stable <stable@kernel.org>
---
net/ipv6/exthdrs.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index df159ff..4bac362 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -559,6 +559,11 @@ static inline struct inet6_dev *ipv6_skb_idev(struct
sk_buff *skb)
return skb_dst(skb) ? ip6_dst_idev(skb_dst(skb)) :
__in6_dev_get(skb->dev);
}

+static inline struct net *ipv6_skb_net(struct sk_buff *skb)
+{
+ return skb_dst(skb) ? dev_net(skb_dst(skb)->dev) : dev_net(skb->dev);
+}
+
/* Router Alert as of RFC 2711 */

static int ipv6_hop_ra(struct sk_buff *skb, int optoff)
@@ -580,8 +585,8 @@ static int ipv6_hop_ra(struct sk_buff *skb, int
optoff)
static int ipv6_hop_jumbo(struct sk_buff *skb, int optoff)
{
const unsigned char *nh = skb_network_header(skb);
+ struct net *net = ipv6_skb_net(skb);
u32 pkt_len;
- struct net *net = dev_net(skb_dst(skb)->dev);

if (nh[optoff + 1] != 4 || (optoff & 3) != 2) {
LIMIT_NETDEBUG(KERN_DEBUG "ipv6_hop_jumbo: wrong jumbo opt
length/alignment %d\n",
--
1.6.5



Arrow  References :

https://bugzilla.redhat.com/show_bug.cgi?id=555217
http://www.securityfocus.com/bid/37810
http://www.osvdb.org/61876
http://www.openwall.com/lists/oss-security/2010/01/14/2
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.4
http://security-tracker.debian.org/tracker/CVE-2010-0006
http://secunia.com/advisories/38333
http://secunia.com/advisories/38168
http://marc.info/?l=linux-netdev&m=126343325807340&w=2
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034250.html
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2570a4f5428bcdb1077622342181755741e7fa60
http://cert.fi/en/reports/2010/vulnerability341748.html
http://bugs.gentoo.org/show_bug.cgi?id=300951




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.