CVE-2010-4526

Bug #799828 reported by Andy Whitcroft
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Fix Released
Undecided
Andy Whitcroft
Lucid
Fix Released
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
linux-fsl-imx51 (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Lucid
Fix Released
Undecided
Andy Whitcroft
Maverick
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
linux-lts-backport-maverick (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
linux-mvl-dove (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
linux-ti-omap4 (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned

Bug Description

Fixed-by: 50b5d6ad63821cea324a5a7a19854d4de1a0a819

  commit 50b5d6ad63821cea324a5a7a19854d4de1a0a819
  Author: Vlad Yasevich <email address hidden>
  Date: Thu May 6 00:56:07 2010 -0700

    sctp: Fix a race between ICMP protocol unreachable and connect()

    ICMP protocol unreachable handling completely disregarded
    the fact that the user may have locked the socket. It proceeded
    to destroy the association, even though the user may have
    held the lock and had a ref on the association. This resulted
    in the following:

    Attempt to release alive inet socket f6afcc00

    =========================
    [ BUG: held lock freed! ]
    -------------------------
    somenu/2672 is freeing memory f6afcc00-f6afcfff, with a lock still held
    there!
     (sk_lock-AF_INET){+.+.+.}, at: [<c122098a>] sctp_connect+0x13/0x4c
    1 lock held by somenu/2672:
     #0: (sk_lock-AF_INET){+.+.+.}, at: [<c122098a>] sctp_connect+0x13/0x4c

    stack backtrace:
    Pid: 2672, comm: somenu Not tainted 2.6.32-telco #55
    Call Trace:
     [<c1232266>] ? printk+0xf/0x11
     [<c1038553>] debug_check_no_locks_freed+0xce/0xff
     [<c10620b4>] kmem_cache_free+0x21/0x66
     [<c1185f25>] __sk_free+0x9d/0xab
     [<c1185f9c>] sk_free+0x1c/0x1e
     [<c1216e38>] sctp_association_put+0x32/0x89
     [<c1220865>] __sctp_connect+0x36d/0x3f4
     [<c122098a>] ? sctp_connect+0x13/0x4c
     [<c102d073>] ? autoremove_wake_function+0x0/0x33
     [<c12209a8>] sctp_connect+0x31/0x4c
     [<c11d1e80>] inet_dgram_connect+0x4b/0x55
     [<c11834fa>] sys_connect+0x54/0x71
     [<c103a3a2>] ? lock_release_non_nested+0x88/0x239
     [<c1054026>] ? might_fault+0x42/0x7c
     [<c1054026>] ? might_fault+0x42/0x7c
     [<c11847ab>] sys_socketcall+0x6d/0x178
     [<c10da994>] ? trace_hardirqs_on_thunk+0xc/0x10
     [<c1002959>] syscall_call+0x7/0xb

    This was because the sctp_wait_for_connect() would aqcure the socket
    lock and then proceed to release the last reference count on the
    association, thus cause the fully destruction path to finish freeing
    the socket.

    The simplest solution is to start a very short timer in case the socket
    is owned by user. When the timer expires, we can do some verification
    and be able to do the release properly.

    Signed-off-by: Vlad Yasevich <email address hidden>
    Signed-off-by: David S. Miller <email address hidden>

Revision history for this message
Andy Whitcroft (apw) wrote :

CVE-2010-4526

tags: added: kernel-cve-tracking-bug
security vulnerability: no → yes
Changed in linux (Ubuntu Hardy):
status: New → Confirmed
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Changed in linux (Ubuntu Maverick):
status: New → Invalid
Changed in linux (Ubuntu Natty):
status: New → Invalid
Changed in linux (Ubuntu Oneiric):
status: New → Invalid
Andy Whitcroft (apw)
Changed in linux-fsl-imx51 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → Confirmed
Changed in linux-fsl-imx51 (Ubuntu Maverick):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Natty):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Hardy):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Maverick):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Natty):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Hardy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Maverick):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Natty):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Maverick):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Natty):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Oneiric):
status: New → Invalid
Andy Whitcroft (apw)
description: updated
Andy Whitcroft (apw)
Changed in linux (Ubuntu Hardy):
assignee: nobody → Andy Whitcroft (apw)
status: Confirmed → In Progress
Changed in linux-fsl-imx51 (Ubuntu Lucid):
assignee: nobody → Andy Whitcroft (apw)
status: Confirmed → In Progress
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Hardy):
status: In Progress → Fix Committed
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.24-29.91

---------------
linux (2.6.24-29.91) hardy-proposed; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #801636

  [Andy Whitcroft]

  * custom binaries need VERSION_SIGNATURE updated during prepare
    - LP: #794698

  [Stefan Bader]

  * (config) Disable COMPAT_VDSO for i386 Xen kernels
    - LP: #794715
  * XEN: Add yield points to blktap and blkback
    - LP: #791212
    - CVE-2010-4247
  * xen: Fix memory corruption caused by double free
    - LP: #705562

  [Upstream Kernel Changes]

  * agp: fix arbitrary kernel memory writes, CVE-1011-2022
    - LP: #788684
    - CVE-1011-2022
  * agp: fix OOM and buffer overflow
    - LP: #791918
    - CVE-2011-1746
  * tty: icount changeover for other main devices, CVE-2010-4076,
    CVE-2010-4077
    - LP: #794034
    - CVE-2010-4077
  * fs/partitions/efi.c: corrupted GUID partition tables can cause kernel
    oops
    - LP: #795418
    - CVE-2011-1577
  * Fix corrupted OSF partition table parsing
    - LP: #796606
    - CVE-2011-1163
  * proc: avoid information leaks to non-privileged processes
    - LP: #799906
    - CVE-2011-0726
  * proc: protect mm start_code/end_code in /proc/pid/stat
    - LP: #799906
    - CVE-2011-0726
  * sctp: Fix a race between ICMP protocol unreachable and connect()
    - LP: #799828
    - CVE-2010-4526
  * xen: blkback, blktap: Fix potential resource leak
    - LP: #800254
 -- Steve Conklin <email address hidden> Fri, 24 Jun 2011 10:59:11 -0500

Changed in linux (Ubuntu Hardy):
status: Fix Committed → Fix Released
Andy Whitcroft (apw)
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.