Bug 404291 (CVE-2007-6282)

Summary: CVE-2007-6282 IPSec ESP kernel panics
Product: [Other] Security Response Reporter: Dirk Nehring <dnehring>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: urgent Docs Contact:
Priority: low    
Version: unspecifiedCC: anton, cg, davids, dhoward, herbert.xu, jplans, kreilly, liyanbj, lwang, nhorman, pwouters, qcai, tgraf, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-11 19:17:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 427245, 427246, 427247, 427248, 453136    
Bug Blocks:    
Attachments:
Description Flags
Example panic from a VM (happens also with physically machines!!!)
none
patch as merged upstream none

Description Dirk Nehring 2007-11-29 11:50:06 UTC
Description of problem:
We find out that various kernel versions (2.6.18-xxx) does crash with IPSec. 
This situation occurs with special clients (netscreen firewall, Cisco PIX) and 
can repoduced on various platforms. We have an example stacktrace here.

The bug is located in the kernel, not in the tools. We exchange the ipsec-
tools, no change.

Version-Release number of selected component (if applicable):
2.6.18-x (all versions)

How reproducible:
Very difficult, since it only occurs after some time (30min - 3 days) and only 
with netscreen firewalls or Cisco PIX.

Steps to Reproduce:
1. Using ipsec-tools and configure tunnels
2. wait...
3.
  
Actual results:


Expected results:


Additional info:

I have also a compressed crashdump if anyone need (18 MB compressed...)

Comment 1 Dirk Nehring 2007-11-29 11:50:06 UTC
Created attachment 272881 [details]
Example panic from a VM (happens also with physically machines!!!)

Comment 3 Dirk Nehring 2007-12-14 19:48:49 UTC
It turns out that this bug is a crasher FOR ALL 2.6.x kernel, including all
RHEL, Fedora, and pristine kernels! Herbert was informed via security
about this bug, it is a fragmentation problem (if the ESP header is fragmented
before the iv ends, BUG() is called).

Here is the fix:

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 1738113..0f307f1 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -165,7 +165,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
        int padlen;
        int err;

-       if (!pskb_may_pull(skb, sizeof(*esph)))
+       if (!pskb_may_pull(skb, sizeof(*esph) + esp->conf.ivlen))
                goto out;

        if (elen <= 0 || (elen & (blksize-1)))
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 4440532..d993fa0 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -155,7 +155,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
        int nfrags;
        int ret = 0;

-       if (!pskb_may_pull(skb, sizeof(*esph))) {
+       if (!pskb_may_pull(skb, sizeof(*esph) + esp->conf.ivlen)) {
                ret = -EINVAL;
                goto out;
        }

My collegue Andreas Ferber is currently writing a CVS, CVE-2007-6282.



Comment 6 Dirk Nehring 2008-03-26 20:34:01 UTC
Hi,

any updates on this issue? Without this patch, every 2.6 kernel can crash with 
only one fragmented packet.

Dirk

Comment 8 Thomas Graf 2008-03-27 23:21:19 UTC
Hi Dirk,

Sorry for the delay and thanks for the ping. I've just posted an updated patch
to netdev again a few minutes ago and davem already merged it. It seems that the
original patch posted earlier did not apply as the new aead interface changed
how the ivsize is accessed. Somehow updating the patch to use the new interface
got lost in the cracks.

Muchas gracias again.

Comment 9 Thomas Graf 2008-03-27 23:22:31 UTC
Created attachment 299408 [details]
patch as merged upstream

Comment 13 Paul Wouters 2008-05-27 18:52:15 UTC
I am hearing a report that this patch breaks ESP when used with openswan.

Comment 14 Paul Wouters 2008-05-27 20:06:44 UTC
It seems the report was made on a kernel < 2.6.18-92.el5. This version
reportedly works fine.

Comment 15 Yan Li 2008-05-29 13:17:34 UTC
(In reply to comment #13)
> I am hearing a report that this patch breaks ESP when used with openswan.

This maybe true here. After upgraded to 2.6.18-53.1.21.el5, the AT&T Global
Network Client (mtsconnect - version 0.4 2004/08/24) broke on my machine. It
uses IPsec to set up a VPN to connect to corporate intranet.

I've to rollback to 2.6.18-53.1.19.el5 for this. Hope this can be fixed. If
there's anything I can help (testing or patch shooting, etc) please let me know.
Thanks!

Comment 16 Dirk Nehring 2008-05-29 13:36:27 UTC
Same for us, we switched yesterday to the new version and our racoon IPsec-
tunnels break! Currently we switched from .21 to .19, which works flawlessly.

Comment 17 Tomas Hoger 2008-06-09 13:32:07 UTC
Regression for Red Hat Enterprise Linux 5 was resolved in the RHEL 5.2 kernel
packages kernel-2.6.18-92.el5 and later.

Comment 19 Dirk Nehring 2008-06-27 15:21:59 UTC
I can confirm that 2.6.18-92.el5 works.