'Re: [oss-security] CVE request: kernel: tc: uninitialised kernel memory leak'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: kernel: tc: uninitialised kernel memory leak
From:       Willy Tarreau <w () 1wt ! eu>
Date:       2009-09-17 4:25:15
Message-ID: 20090917042515.GA6793 () 1wt ! eu
[Download RAW message or body]

Hi Steven,

On Wed, Sep 16, 2009 at 09:19:02PM -0400, Steven M. Christey wrote:
(...)
> One question, though - http://patchwork.ozlabs.org/patch/32830/ patches
> net/sched/sch_api.c / tc_fill_tclass, but the 2005 patch includes
> net/core/neighbour.c, net/sched/cls_api.c, and others.
> 
> So we have:
> 
> tc_fill_qdisc() - already fixed in 2.6; just fixed in 2.4
> 
> http://marc.info/?l=git-commits-head&m=112002138324380
> (not sure of reference for 2.4)
> 
> multiple functions e.g. tcf_fill_node() already fixed in 2.6; unknown
> status in 2.4.  Includes neightbl_fill_info(), neightbl_fill_param_info(),
> and others.
> 
> http://marc.info/?l=git-commits-head&m=112002138324380

This one is here in 2.4 :

   http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=0f3f2328f63c521fe4b435f148687452f98b2349


> tc_fill_tclass() - just fixed in 2.6
> 
> http://patchwork.ozlabs.org/patch/32830/
> 
> 
> So for now, we have:
> 
> CVE-2009-3228 - tc_fill_tclass()

Here in 2.4 :

  http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=096ed17f20affc2db0e307658c69b67433992a7a



> CVE-2005-4881 - tc_fill_qdisc()  (at least)

in 2.4, was fixed with the other one above from 2005 (0f3f23).


> Now we have:
> 
> tcf_fill_node(), neightbl_fill_info(), and others from 2005.
> 
> Typical practice would be to associate tcf_fill_node() and the others with
> CVE-2005-4881, not just have it be with tc_fill_qdisc() - because they
> were all disclosed in 2005.  Then the 2.4 fix might only apply to a
> portion of CVE-2005-4881.  This could make it difficult to coordinate
> low-level patches, but our "(1)" and "(2)" numbering style in the CVE
> description could be used at that level if needed.
> 
> So, let's go with these two numbers.  I'll fill them out later.  (My head
> hurts.)
> 
> Oh, and if anybody could give me more precise version information than
> "2.4" and "2.6" then that would be appreciated.

OK, for 2.4, all the issues mentionned here were fixed in 2.4.37.6 and present
up to 2.4.37.5.

In 2.6 now :

  - tc_fill_tclass was fixed in 2.6.31-rc9 (commit 16ebb5e0)
  - neightbl_fill_info, tcf_fill_node, tc_fill_qdisc... in 2.6.13-rc1
    (commit 9ef1d4c7)

> P.S. I chose the 2005 date in the CVE to help with distinguishing the
> problems, but arguably this should have received a 2009, because the 2005
> fix was so vague that the security implications weren't (apparently) known
> until 2009.

OK, thanks Steven.

Willy


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic