Bug 447389 (CVE-2008-2358)

Summary: CVE-2008-2358 kernel: dccp: sanity check feature length
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acme, anton, chrisw, dhoward, jskrabal, lwang, security-response-team, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 19:00:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 447395, 447396    
Bug Blocks:    

Description Jan Lieskovsky 2008-05-19 19:33:14 UTC
Description of problem:

Backport the feature length validation.  Without this it's possible for
rlen to ovelflow to 0, causing kmalloc(0), and a heap overflow during
DCCP feature reconciliation.
                rlen = 1 + opt->dccpop_len;
                rpref = kmalloc(rlen, GFP_ATOMIC);
                memcpy(&rpref[1], opt->dccpop_val, opt->dccpop_len);
Thanks to Brandon Edwards of McAfee Avert labs for discovering this issue.


A vulnerability exists in the DCCP implementation which can be setup and
exploited by a local attacker. The vulnerability is an integer overflow which
leads to a kmalloc() for 0 bytes, followed by a memory copy into the returned
pointer for 255 bytes, which causes a heap overflow. This type of vulnerability
can be exploited by a local attacker to gain arbitrary code execution.

Version-Release number of selected component (if applicable):
2.6.17 <= x <= 2.6.20 (See the timeline for more details)

Additional information:

This vulnerability affects the dccp kernel module (shipped as part of the
RHEL kernel updates).

Comment 2 Jan Lieskovsky 2008-05-19 19:40:15 UTC
Proposed patch from the reporter:

diff --git a/net/dccp/feat.c b/net/dccp/feat.c
index a1b0682..aceb1db 100644
--- a/net/dccp/feat.c
+++ b/net/dccp/feat.c
@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisock *dmsk, u8 type, u8
dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
+       if (len > 3) {
+               if (net_ratelimit())
+                       printk("%s: invalid length %d\n", __func__, len);
+               return -EINVAL;
+       }
        /* XXX sanity check feat change request */
        /* check if that feature is already being negotiated */

Comment 6 Tomas Hoger 2008-06-10 07:07:02 UTC
Public now, lifting embargo:


Comment 13 Vincent Danen 2010-12-23 19:00:26 UTC
This was addressed via:

Red Hat Enterprise Linux version 5 (RHSA-2008:0519)