oss-sec mailing list archives
CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS)
From: Eugene Teo <eugeneteo () kernel sg>
Date: Mon, 29 Mar 2010 11:36:44 +0800
Upstream commit: http://git.kernel.org/linus/fb7e2399ec17f1004c0e0ccfd17439f8759ede01 Description from the commit:"The server side sets IPV6_RECVPKTINFO on a listening socket, and the client side just sends a message to the server. Then the kernel panic occurs on the server.
This problem happens because a skb is forcibly freed in tcp_rcv_state_process(). When a socket in listening state(TCP_LISTEN) receives a syn packet, thentcp_v6_conn_request() will be called from tcp_rcv_state_process(). If the tcp_v6_conn_request() successfully returns, the skb would be discarded by __kfree_skb().
However, in case of a listening socket which was already set IPV6_RECVPKTINFO, an address of the skb will be stored in treq->pktopts and a ref count of the skb will be incremented in tcp_v6_conn_request(). But, even if the skb is still in use, the skb will be freed. Then someone still using the freed skb will cause the kernel panic."
Triggering this could result in a general protection fault. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=577711 Thanks, Eugene
Current thread:
- CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS) Eugene Teo (Mar 28)
- Re: CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS) Steven M. Christey (Mar 30)
- Re: CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS) Eugene Teo (Mar 30)
- Re: CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS) Steven M. Christey (Mar 30)