'Re: [oss-security] CVE-2012-5532 hypervkvpd DoS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2012-5532 hypervkvpd DoS
From:       Sebastian Krahmer <krahmer () suse ! de>
Date:       2012-11-28 8:08:20
Message-ID: 20121128080820.GA3097 () suse ! de
[Download RAW message or body]

Hi,

Indeed. CVE-2012-2669 was actually a fix from us, but it turns out
that it was too strict. Exiting makes indeed no sense. :/

Sebastian

On Tue, Nov 27, 2012 at 02:32:22PM -0700, Vincent Danen wrote:
> * [2012-11-27 11:55:35 -0700] Vincent Danen wrote:
> 
> > * [2012-11-27 11:21:03 -0700] Vincent Danen wrote:
> > 
> > > Just a heads-up on a flaw that was found:
> > > 
> > > Florian Weimer of the Red Hat Product Security Team discovered that hypervkvpd
> > > would exit when it processed a spoofed Netlink packet that had been sent from
> > > an untrusted local user, in the following code:
> > > 
> > > len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0,
> > > addr_p, &addr_l);
> > > 
> > > if (len < 0 || addr.nl_pid) {
> > > syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s",
> > > addr.nl_pid, errno, strerror(errno));
> > > close(fd);
> > > return -1;
> > > }
> > > 
> > > This has been corrected upstream already.
> > > 
> > > References:
> > > 
> > > https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=commit;h=95a69adab9acfc3981c504737a2b6578e4d846ef
> > >  https://bugzilla.redhat.com/show_bug.cgi?id=877572
> > 
> > Ooops.  This is a bit embarrassing.
> > 
> > This is actually CVE-2012-2669.  Please reject CVE-2012-5532 as a
> > duplicate of CVE-2012-2669.
> > 
> > Thanks.
> 
> Wow, ok, this is a little convoluted.  These actually are not the same
> thing.
> 
> The old fix is here (so this would be CVE-2012-2669):
> 
> https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=blobdiff;f=tools/hv/hv_kvp_d \
> aemon.c;h=d9834b36294373f88d29731350ccc9d384b41788;hp=146fd6147e84be5cde2a66009f331f1b6ee2b805 \
> ;hb=bcc2c9c3fff859e0eb019fe6fec26f9b8eba795c;hpb=cfaf025112d3856637ff34a767ef785ef5cf2ca9 
> This, however, while detecting the spoofed netlink packet would still
> cause the daemon to exit.  I'm not sure whether or not it actually fixed
> anything.
> 
> This fix:
> 
> https://git.kernel.org/?p=linux/kernel/git/gregkh/char-misc.git;a=blobdiff;f=tools/hv/hv_kvp_d \
> aemon.c;h=c1d910243d49abe6012595d50227648873994ed8;hp=13c2a142331defeb539e40b9fe4d942f66c3aa4a \
> ;hb=95a69adab9acfc3981c504737a2b6578e4d846ef;hpb=aeba4a06f28fad11b1e61d150bd3cde3008b80c8 
> fixes the previous commit so that now the daemon no longer exits on
> these bad packets.  This would be CVE-2012-5532.
> 
> So CVE-2012-2669 is for "failing to check origin of netlink messages"
> and CVE-2012-5532 is for the "exiting upon receipt of spoofed netlink
> messages" (or something to that effect anyways).
> 
> My apologies for the noise.
> 
> -- 
> Vincent Danen / Red Hat Security Response Team 

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@suse.de - SuSE Security Team


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic