Secure testing team - Mar 2006 - Re: Bug#309308: kernel-image-2.6.8-2-686-smp: VLAN Oops fix for 2.6.8

On Fri, Aug 12, 2005 at 09:26:49AM +0200, Moritz Muehlenhoff
wrote:
> Horms wrote:
> > > > There is no public CVE assignment for this issue.
If''s it easily reproducable
> > > > for non-root, it might account as a local DoS vulnerability.
> > > 
> > > mii-tool''s IOCTL is only allowed by root.
> > > 
> > > The remote DoS comes from the fact that snmpd will call this
IOCTL when it
> > > gets a request for the interface statistics.
> > > 
> > > So it''s exploitable via SNMP if the exploiter has access
to the SNMP tree
> > > in question. (Which is not the default, if I recall correctly?)
> > > 
> > > However, this means that cricket will bone the machine during the
boot process,
> > > or soon after.
> > 
> > I think thats a strong enough reason to tag it as a security fix,
> > and thus include it in a kernel security update.
> 
> Hi Horms,
> this is now CAN-2005-2548. Can you please add it to the changelog?
Of course. Its in now.

-- 
Horms

Horms wrote:
> > below patch has been slurped into the Debian patches for 2.6.8, but
the
> > error posted looks like the same error I suffered when hitting this
bug.
> > 
> > Patch from
http://lists.osdl.org/pipermail/bridge/2004-September/000638.html
> > 
> > Cut and paste from the web archive, so spacing etc. may be boned.
> > But it''s a typo-only fix anyway, so easy enough to recreate.
> 
> Thanks I have added this to SVN. 
> 
> Is this considered a security bug and if so does it have a CAN number?
There is no public CVE assignment for this issue. If''s it easily
reproducable
for non-root, it might account as a local DoS vulnerability.

Cheers,
        Moritz

tags +pending 309308
tags +patch 309308
thanks

On Thu, Aug 11, 2005 at 11:42:54AM +1000, Paul TBBle Hampson
wrote:
> Package: kernel-image-2.6.8-2-686-smp
> Followup-For: Bug #309308
> 
> Just noticed this bug in the testing-security list. I don''t know
if the
> below patch has been slurped into the Debian patches for 2.6.8, but the
> error posted looks like the same error I suffered when hitting this bug.
> 
> Patch from
http://lists.osdl.org/pipermail/bridge/2004-September/000638.html
> 
> The patch was taken into 2.6.9-rc2, and the bug was in code introduced
> very late in the 2.6.8 cycle. (August 2004 I believe)
> 
> diff -Nru a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
> --- a/net/8021q/vlan_dev.c      2004-09-10 06:12:16 -07:00
> +++ b/net/8021q/vlan_dev.c      2004-09-10 06:12:16 -07:00
> @@ -772,7 +772,7 @@
>         case SIOCGMIIREG:
>         case SIOCSMIIREG:
>                 if (real_dev->do_ioctl &&
netif_device_present(real_dev))
> -                       err = real_dev->do_ioctl(dev, &ifrr, cmd);
> +                       err = real_dev->do_ioctl(real_dev, &ifrr,
cmd);
>                 break;
> 
>         case SIOCETHTOOL:
> 
> Cut and paste from the web archive, so spacing etc. may be boned.
> But it''s a typo-only fix anyway, so easy enough to recreate.
Thanks I have added this to SVN. 

Is this considered a security bug and if so does it have a CAN number?

-- 
Horms

Horms wrote:
> > > There is no public CVE assignment for this issue. If''s
it easily reproducable
> > > for non-root, it might account as a local DoS vulnerability.
> > 
> > mii-tool''s IOCTL is only allowed by root.
> > 
> > The remote DoS comes from the fact that snmpd will call this IOCTL
when it
> > gets a request for the interface statistics.
> > 
> > So it''s exploitable via SNMP if the exploiter has access to
the SNMP tree
> > in question. (Which is not the default, if I recall correctly?)
> > 
> > However, this means that cricket will bone the machine during the boot
process,
> > or soon after.
> 
> I think thats a strong enough reason to tag it as a security fix,
> and thus include it in a kernel security update.
Hi Horms,
this is now CAN-2005-2548. Can you please add it to the changelog?

Cheers,
        Moritz