linux/net
Solar Designer 2c8ac66bb2 [NETFILTER]: Fix do_add_counters race, possible oops or info leak (CVE-2006-0039)
Solar Designer found a race condition in do_add_counters(). The beginning
of paddc is supposed to be the same as tmp which was sanity-checked
above, but it might not be the same in reality. In case the integer
overflow and/or the race condition are triggered, paddc->num_counters
might not match the allocation size for paddc. If the check below
(t->private->number != paddc->num_counters) nevertheless passes (perhaps
this requires the race condition to be triggered), IPT_ENTRY_ITERATE()
would read kernel memory beyond the allocation size, potentially causing
an oops or leaking sensitive data (e.g., passwords from host system or
from another VPS) via counter increments. This requires CAP_NET_ADMIN.

Signed-off-by: Solar Designer <solar@openwall.com>
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-05-19 02:16:52 -07:00
..
802 [TR]: Remove an unused export. 2006-05-16 15:23:40 -07:00
8021q
appletalk
atm [NEIGH]: Fix IP-over-ATM and ARP interaction. 2006-05-12 14:56:08 -07:00
ax25 [AX.25]: Eleminate HZ from AX.25 kernel interfaces 2006-05-03 23:27:16 -07:00
bluetooth
bridge [NETFILTER]: fix format specifier for netfilter log targets 2006-05-19 02:15:47 -07:00
core [NEIGH]: Fix IP-over-ATM and ARP interaction. 2006-05-12 14:56:08 -07:00
dccp [DCCP]: Fix sock_orphan dead lock 2006-05-05 17:09:13 -07:00
decnet [DECNET]: Fix level1 router hello 2006-05-03 23:36:23 -07:00
econet
ethernet
ieee80211 [PATCH] softmac: make non-operational after being stopped 2006-05-05 16:55:22 -04:00
ipv4 [NETFILTER]: Fix do_add_counters race, possible oops or info leak (CVE-2006-0039) 2006-05-19 02:16:52 -07:00
ipv6 [NETFILTER]: Fix do_add_counters race, possible oops or info leak (CVE-2006-0039) 2006-05-19 02:16:52 -07:00
ipx [IPX]: Correct return type of ipx_map_frame_type(). 2006-05-16 15:17:49 -07:00
irda [IRDA]: Removing unused EXPORT_SYMBOLs 2006-05-09 15:25:25 -07:00
key
lapb
llc
netfilter [NETFILTER]: x_tables: don't use __copy_{from,to}_user on unchecked memory in compat layer 2006-05-03 23:20:27 -07:00
netlink
netrom [NETROM/ROSE]: Kill module init version kernel log messages. 2006-05-05 17:19:26 -07:00
packet
rose [NETROM/ROSE]: Kill module init version kernel log messages. 2006-05-05 17:19:26 -07:00
rxrpc
sched [PKT_SCHED]: Potential jiffy wrap bug in dev_watchdog(). 2006-05-16 15:02:12 -07:00
sctp [SCTP]: Fix state table entries for chunks received in CLOSED state. 2006-05-05 17:05:23 -07:00
sunrpc
tipc
unix
wanrouter
x25
xfrm
compat.c
Kconfig
Makefile
nonet.c
socket.c
sysctl_net.c
TUNABLE