Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130702091440.GF13295@suse.de>
Date: Tue, 2 Jul 2013 11:14:40 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE Request: kernel: ipv6: using ipv4 vs ipv6 structure during
	routing lookup in sendmsg

Hi,

Also fresh in the mainline kernel and spotted by trinity:

commit a963a37d384d71ad43b3e9e79d68d42fbe0901f3
Author: Eric Dumazet <edumazet@...gle.com>
Date:   Wed Jun 26 04:15:07 2013 -0700

    ipv6: ip6_sk_dst_check() must not assume ipv6 dst

    It's possible to use AF_INET6 sockets and to connect to an IPv4
    destination. After this, socket dst cache is a pointer to a rtable,
    not rt6_info.

    ip6_sk_dst_check() should check the socket dst cache is IPv6, or else
    various corruptions/crashes can happen.

    Dave Jones can reproduce immediate crash with
    trinity -q -l off -n -c sendmsg -c connect

    With help from Hannes Frederic Sowa

    Reported-by: Dave Jones <davej@...hat.com>
    Reported-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
    Signed-off-by: Eric Dumazet <edumazet@...gle.com>
    Acked-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
    Signed-off-by: David S. Miller <davem@...emloft.net>


Can be triggered by non-root users according to Eric, so needs a CVE.

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.