oss-sec mailing list archives
Re: CVE request: Kernel 2.6.32+ IP_RETOPTS Buffer Poisoning DoS
From: Petr Matousek <pmatouse () redhat com>
Date: Tue, 2 Jul 2013 12:21:42 +0200
On Sun, Jun 30, 2013 at 12:33:47AM -0700, Steven Ciaburri wrote:
There is a local DOS exploit in centos 6, openvz 6, cloudlinux 6 and others. https://www.rack911.com/poc/hemlock.c
Just to make sure -- this triggers Red Hat specific bug introduced via CVE-2012-3552 fix [1, 2]. This issue does not affect upstream. [1] https://bugzilla.redhat.com/show_bug.cgi?id=979936#c2 [2] https://bugzilla.redhat.com/show_bug.cgi?id=979936#c3 Spender suggest there is a integer problem in the code [3], but there is not. The problem spender is trying to fix is avoided by the CMSG_OK check in ip_cmsg_send() function and msg_controllen check in __sys_sendmsg(). There is some slight room for error though since CMSG_OK checks for "(cmsg)->cmsg_len >= sizeof(struct cmsghdr)" and the expression is "err = cmsg->cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr));" but with the current alignment and cmsghdr struct size we should be fine on both 32 and 64bit. [3] https://twitter.com/grsecurity/status/351664130031222784 -- Petr Matousek / Red Hat Security Response Team
Current thread:
- Re: CVE request: Kernel 2.6.32+ IP_RETOPTS Buffer Poisoning DoS Petr Matousek (Jul 02)