Bug#322273: [CAN-2005-2456]: XFRM array index buffer overflow
Package: kernel-source-2.6.8
Version: 2.6.8-16
Severity: critical
Justification: root security hole
SecurityFocus http://www.securityfocus.com/bid/14477 mentions an array index
buffer overflow.
In short, the suspect it can cause a denial of service attack, but
aren't sure whether or not it allows code execution.
Balaz Scheidler says at
http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html:
"While reading through the xfrm code I've found a possible array
overflow in struct sock"
He goes on to suggest some patches. However the patch at
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a4f1bac62564049ea4718c4624b0fadc9f597c84
is in the xfrm_user file instead.
I suspect this second patch that was commited will work, and checks the
direction earlier in the code flow than the original email from Balaz in
the first link. The xfrm_user patch is:
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1350,6 +1350,9 @@ static struct xfrm_policy *xfrm_compile_
if (nr > XFRM_MAX_DEPTH)
return NULL;
+ if (p->dir > XFRM_POLICY_OUT)
+ return NULL;
+
xp = xfrm_policy_alloc(GFP_KERNEL);
if (xp == NULL) {
*dir = -ENOBUFS;
On another note, when I'm looking at bugs like this, and I haven't found
them in the bug tracking database, should I be putting them against just
kernel-source-2.6.8, or against kernel-source-2.6.11 as well, or is
there a generic kernel-source-2.6 package?
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)
Versions of packages kernel-source-2.6.8 depends on:
ii binutils 2.15-6 The GNU assembler, linker and bina
ii bzip2 1.0.2-7 high-quality block-sorting file co
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
-- no debconf information
Reply to: