Bug 404291 (CVE-2007-6282)
Summary: | CVE-2007-6282 IPSec ESP kernel panics | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dirk Nehring <dnehring> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> | ||||||
Severity: | urgent | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | anton, cg, davids, dhoward, herbert.xu, jplans, kreilly, liyanbj, lwang, nhorman, pwouters, qcai, tgraf, vgoyal, williams | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-10-11 19:17:48 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 427245, 427246, 427247, 427248, 453136 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Dirk Nehring
2007-11-29 11:50:06 UTC
Created attachment 272881 [details]
Example panic from a VM (happens also with physically machines!!!)
It turns out that this bug is a crasher FOR ALL 2.6.x kernel, including all RHEL, Fedora, and pristine kernels! Herbert was informed via security about this bug, it is a fragmentation problem (if the ESP header is fragmented before the iv ends, BUG() is called). Here is the fix: diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 1738113..0f307f1 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -165,7 +165,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) int padlen; int err; - if (!pskb_may_pull(skb, sizeof(*esph))) + if (!pskb_may_pull(skb, sizeof(*esph) + esp->conf.ivlen)) goto out; if (elen <= 0 || (elen & (blksize-1))) diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 4440532..d993fa0 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -155,7 +155,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) int nfrags; int ret = 0; - if (!pskb_may_pull(skb, sizeof(*esph))) { + if (!pskb_may_pull(skb, sizeof(*esph) + esp->conf.ivlen)) { ret = -EINVAL; goto out; } My collegue Andreas Ferber is currently writing a CVS, CVE-2007-6282. Hi, any updates on this issue? Without this patch, every 2.6 kernel can crash with only one fragmented packet. Dirk Hi Dirk, Sorry for the delay and thanks for the ping. I've just posted an updated patch to netdev again a few minutes ago and davem already merged it. It seems that the original patch posted earlier did not apply as the new aead interface changed how the ivsize is accessed. Somehow updating the patch to use the new interface got lost in the cracks. Muchas gracias again. Created attachment 299408 [details]
patch as merged upstream
http://marc.info/?l=linux-netdev&m=120372380411259&w=2 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=920fc941a9617f95ccb283037fe6f8a38d95bb69 I am hearing a report that this patch breaks ESP when used with openswan. It seems the report was made on a kernel < 2.6.18-92.el5. This version reportedly works fine. (In reply to comment #13) > I am hearing a report that this patch breaks ESP when used with openswan. This maybe true here. After upgraded to 2.6.18-53.1.21.el5, the AT&T Global Network Client (mtsconnect - version 0.4 2004/08/24) broke on my machine. It uses IPsec to set up a VPN to connect to corporate intranet. I've to rollback to 2.6.18-53.1.19.el5 for this. Hope this can be fixed. If there's anything I can help (testing or patch shooting, etc) please let me know. Thanks! Same for us, we switched yesterday to the new version and our racoon IPsec- tunnels break! Currently we switched from .21 to .19, which works flawlessly. Regression for Red Hat Enterprise Linux 5 was resolved in the RHEL 5.2 kernel packages kernel-2.6.18-92.el5 and later. I can confirm that 2.6.18-92.el5 works. |