[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#322273: marked as done ([CAN-2005-2456]: XFRM array index buffer overflow)

Your message dated Sat, 10 Jun 2006 06:53:49 +0200
with message-id <20060610045349.GC25632@nancy>
and subject line [CAN-2005-2456]: XFRM array index buffer overflow
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: kernel-source-2.6.8
Version: 2.6.8-16
Severity: critical
Justification: root security hole

SecurityFocus http://www.securityfocus.com/bid/14477 mentions an array index 
buffer overflow.
In short, the suspect it can cause a denial of service attack, but
aren't sure whether or not it allows code execution.

Balaz Scheidler says at
http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html:
"While reading through the xfrm code I've found a possible array
overflow in struct sock"

He goes on to suggest some patches. However the patch at
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a4f1bac62564049ea4718c4624b0fadc9f597c84
is in the xfrm_user file instead.
I suspect this second patch that was commited will work, and checks the
direction earlier in the code flow than the original email from Balaz in
the first link. The xfrm_user patch is:

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1350,6 +1350,9 @@ static struct xfrm_policy *xfrm_compile_
 	if (nr > XFRM_MAX_DEPTH)
 		return NULL;
 
+	if (p->dir > XFRM_POLICY_OUT)
+		return NULL;
+
 	xp = xfrm_policy_alloc(GFP_KERNEL);
 	if (xp == NULL) {
 		*dir = -ENOBUFS;


On another note, when I'm looking at bugs like this, and I haven't found
them in the bug tracking database, should I be putting them against just
kernel-source-2.6.8, or against kernel-source-2.6.11 as well, or is
there a generic kernel-source-2.6 package?


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages kernel-source-2.6.8 depends on:
ii  binutils                      2.15-6     The GNU assembler, linker and bina
ii  bzip2                         1.0.2-7    high-quality block-sorting file co
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities

-- no debconf information

--- End Message ---
--- Begin Message --- 
fixed in 2.6.8-16sarge1 and in 2.4.27-10sarge1

-- 
maks

--- End Message ---
Reply to: