|
Message-ID: <20130702091440.GF13295@suse.de> Date: Tue, 2 Jul 2013 11:14:40 +0200 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com> Subject: CVE Request: kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg Hi, Also fresh in the mainline kernel and spotted by trinity: commit a963a37d384d71ad43b3e9e79d68d42fbe0901f3 Author: Eric Dumazet <edumazet@...gle.com> Date: Wed Jun 26 04:15:07 2013 -0700 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones <davej@...hat.com> Reported-by: Hannes Frederic Sowa <hannes@...essinduktion.org> Signed-off-by: Eric Dumazet <edumazet@...gle.com> Acked-by: Hannes Frederic Sowa <hannes@...essinduktion.org> Signed-off-by: David S. Miller <davem@...emloft.net> Can be triggered by non-root users according to Eric, so needs a CVE. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.