Bug 464514 (CVE-2008-4113)
| Summary: | CVE-2008-4113 kernel: sctp_getsockopt_hmac_ident information disclosure | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | bhu, lgoncalv, williams | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2010-12-21 17:43:58 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 464515 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Created attachment 327941 [details]
Reproducer
This was addressed via: MRG Realtime for RHEL 5 Server (RHSA-2008:0857) |
Description of problem: From source code file: net/sctp/socket.c [...] SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname, char __user *optval, int __user *optlen) { int retval = 0; int len; [...] if (get_user(len, optlen)) <-- [1] return -EFAULT; [...] case SCTP_HMAC_IDENT: retval = sctp_getsockopt_hmac_ident(sk, len, optval, optlen); <-- [2] break; [...] [1] The user controlled value of "optlen" is copied into "len" [2] "len" is used as a parameter for the function "sctp_getsockopt_hmac_ident()" {...] static int sctp_getsockopt_hmac_ident(struct sock *sk, int len, char __user *optval, int __user *optlen) { struct sctp_hmac_algo_param *hmacs; __u16 param_len; hmacs = sctp_sk(sk)->ep->auth_hmacs_list; <-- [3] param_len = ntohs(hmacs->param_hdr.length); <-- [4] if (len < param_len) <-- [5] return -EINVAL; if (put_user(len, optlen)) return -EFAULT; if (copy_to_user(optval, hmacs->hmac_ids, len)) <-- [6] return -EFAULT; return 0; } [...] If SCTP authentication is enabled (net.sctp.auth_enable=1): [3] "hmacs" gets a valid value [4] "param_len" gets a valid value [5] The length check can be easily passed as "len" is user controlled [6] "len" is a user controlled value, therefore it is possible to control the number of bytes that get copied back to the user As "len" isn't validated at all an unprivileged user can read arbitrary data from memory. References: http://trapkit.de/advisories/TKADV2008-007.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113