Bug 478800 (CVE-2009-0065)
Summary: | CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | unspecified | CC: | anton, bhu, dhoward, jpirko, lgoncalv, lwang, mjc, nhorman, qcai, rcvalle, redhat-bugzilla, vgoyal, williams | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-12-21 17:56:50 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 478802, 478803, 478804, 478805, 478959, 478960, 480861, 480862 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Eugene Teo (Security Response)
2009-01-05 05:31:37 UTC
Created attachment 328170 [details]
Upstream patch
I did a brief analysis. This bug can be triggered in the following code path: sctp_do_sm -> call sctp_sf_eat_fwd_tsn* -> sctp_side_effects -> sctp_cmd_interpreter -> cmd->verb (i.e. SCTP_CMD_PROCESS_FWDTSN) linux-2.6:net/sctp/sm_sideeffect.c: 1079 /* This is the side-effect interpreter. */ 1080 static int sctp_cmd_interpreter(sctp_event_t event_type, 1081 sctp_subtype_t subtype, 1082 sctp_state_t state, 1083 struct sctp_endpoint *ep, 1084 struct sctp_association *asoc, 1085 void *event_arg, 1086 sctp_disposition_t status, 1087 sctp_cmd_seq_t *commands, 1088 gfp_t gfp) 1089 { [...] 1112 while (NULL != (cmd = sctp_next_cmd(commands))) { 1113 switch (cmd->verb) { [...] 1170 case SCTP_CMD_PROCESS_FWDTSN: 1171 sctp_cmd_process_fwdtsn(&asoc->ulpq, cmd->obj.ptr); 823 /* Process variable FWDTSN chunk information. */ 824 static void sctp_cmd_process_fwdtsn(struct sctp_ulpq *ulpq, 825 struct sctp_chunk *chunk) 826 { 827 struct sctp_fwdtsn_skip *skip; 828 /* Walk through all the skipped SSNs */ 829 sctp_walk_fwdtsn(skip, chunk) { 830 sctp_ulpq_skip(ulpq, ntohs(skip->stream), ntohs(skip->ssn)); linux-2.6:net/sctp/ulpqueue.c: 936 /* Skip over an SSN. This is used during the processing of 937 * Forwared TSN chunk to skip over the abandoned ordered data 938 */ 939 void sctp_ulpq_skip(struct sctp_ulpq *ulpq, __u16 sid, __u16 ssn) 940 { 941 struct sctp_stream *in; 942 943 /* Note: The stream ID must be verified before this routine. */ 944 in = &ulpq->asoc->ssnmap->in; 945 946 /* Is this an old SSN? If so ignore. */ 947 if (SSN_lt(ssn, sctp_ssn_peek(in, sid))) 948 return; 949 950 /* Mark that we are no longer expecting this SSN or lower. */ 951 sctp_ssn_skip(in, sid, ssn); linux-2.6:include/net/sctp/structs.h: 514 /* Skip over this ssn and all below. */ 515 static inline void sctp_ssn_skip(struct sctp_stream *stream, __u16 id, 516 __u16 ssn) 517 { 518 stream->ssn[id] = ssn+1; Ack on the patch, I remember us looking at it when Wei posted it to the lksctp list Created attachment 328250 [details]
Proposed realtime kernel patch
Luis, kindly review.
Is it possible to exploit this vulnerability by sending a malformed SCTP packet to a machine that's not actively using SCTP? (In reply to comment #9) > Is it possible to exploit this vulnerability by sending a malformed SCTP packet > to a machine that's not actively using SCTP? No. It is only possible if there is an association between SCTP endpoints. Thanks, Eugene This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009:0331 http://rhn.redhat.com/errata/RHSA-2009:0331.html Update: A buffer overflow was found in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a remote denial of service or arbitrary code execution if a Forward-TSN chunk is received with a large stream ID. Note: an established connection between SCTP endpoints is necessary to exploit this vulnerability. This issue has already been fixed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG, via the asynchronous security advisories RHSA-2009:0331, RHSA-2009:0264, and RHSA-2009:0053, respectively. Red Hat Enterprise Linux 2.1 and 3 are not affected. If the required updates are not installed, or if it is not possible to install at this time, the following workarounds can be used: For users that run applications that use SCTP, the PR-SCTP extension is enabled in the kernel by default if the "sctp" loadable kernel module (LKM) is loaded. You can temporarily disable the PR-SCTP extension by running one of the following commands as the root user: sysctl -w net.sctp.prsctp_enable=0 or echo 0 > /proc/sys/net/sctp/prsctp_enable To make permanent changes with these commands, refer to the following Knowledgebase article: http://kbase.redhat.com/faq/docs/DOC-9435 For users that do not run applications that use SCTP, you can prevent the "sctp" module from being loaded, by adding the following entry to the end of the "/etc/modprobe.d/blacklist" file: blacklist sctp This way, the "sctp" module cannot be loaded accidentally, which may occur if an application that requires SCTP is started. A reboot is not necessary for this change to take effect. This issue has been addressed in following products: Red Hat Enterprise Linux 5.2 Z Stream Via RHSA-2009:1055 https://rhn.redhat.com/errata/RHSA-2009-1055.html This was addressed via: MRG Realtime for RHEL 5 Server (RHSA-2009:0053) Red Hat Enterprise Linux version 5 (RHSA-2009:0264) Red Hat Enterprise Linux version 4 (RHSA-2009:0331) Red Hat Enterprise Linux (v. 5.2.z server) (RHSA-2009:1055) |