Bug 478800 (CVE-2009-0065)

Summary: CVE-2009-0065 kernel: sctp: memory overflow when FWD-TSN chunk is received with bad stream ID
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anton, bhu, dhoward, jpirko, lgoncalv, lwang, mjc, nhorman, qcai, rcvalle, redhat-bugzilla, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 17:56:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 478802, 478803, 478804, 478805, 478959, 478960, 480861, 480862    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch
none
Proposed realtime kernel patch none

Description Eugene Teo (Security Response) 2009-01-05 05:31:37 UTC 
From: Wei Yongjun <yjwei.com>

If FWD-TSN chunk is received with bad stream ID, the sctp will not do the validity check, this may cause memory overflow when overwrite the TSN of the stream ID.

The FORWARD-TSN chunk is like this:

FORWARD-TSN chunk
  Type                       = 192
  Flags                      = 0
  Length                     = 172
  NewTSN                     = 99
  Stream                     = 10000
  StreamSequence             = 0xFFFF

This patch fix this problem by discard the chunk if stream ID is not less than MIS.

Reference:
http://patchwork.ozlabs.org/patch/15024/

Upstream commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9fcb95a105758b81ef0131cd18e2db5149f13e95
Comment 1 Eugene Teo (Security Response) 2009-01-05 05:32:36 UTC 
Created attachment 328170 [details]
Upstream patch
Comment 3 Eugene Teo (Security Response) 2009-01-05 05:52:36 UTC 
I did a brief analysis. This bug can be triggered in the following code path:

sctp_do_sm -> call sctp_sf_eat_fwd_tsn* -> sctp_side_effects -> sctp_cmd_interpreter -> cmd->verb (i.e. SCTP_CMD_PROCESS_FWDTSN)

linux-2.6:net/sctp/sm_sideeffect.c:
1079 /* This is the side-effect interpreter.  */
1080 static int sctp_cmd_interpreter(sctp_event_t event_type,
1081                                 sctp_subtype_t subtype,
1082                                 sctp_state_t state,
1083                                 struct sctp_endpoint *ep,
1084                                 struct sctp_association *asoc,
1085                                 void *event_arg,
1086                                 sctp_disposition_t status,
1087                                 sctp_cmd_seq_t *commands,
1088                                 gfp_t gfp)
1089 {
[...]
1112         while (NULL != (cmd = sctp_next_cmd(commands))) {
1113                 switch (cmd->verb) {
[...]
1170                 case SCTP_CMD_PROCESS_FWDTSN:
1171                         sctp_cmd_process_fwdtsn(&asoc->ulpq, cmd->obj.ptr);

 823 /* Process variable FWDTSN chunk information. */
 824 static void sctp_cmd_process_fwdtsn(struct sctp_ulpq *ulpq,
 825                                     struct sctp_chunk *chunk)
 826 {   
 827         struct sctp_fwdtsn_skip *skip;
 828         /* Walk through all the skipped SSNs */
 829         sctp_walk_fwdtsn(skip, chunk) {
 830                 sctp_ulpq_skip(ulpq, ntohs(skip->stream), ntohs(skip->ssn));

linux-2.6:net/sctp/ulpqueue.c:
 936 /* Skip over an SSN. This is used during the processing of
 937  * Forwared TSN chunk to skip over the abandoned ordered data
 938  */
 939 void sctp_ulpq_skip(struct sctp_ulpq *ulpq, __u16 sid, __u16 ssn)
 940 {
 941         struct sctp_stream *in;
 942 
 943         /* Note: The stream ID must be verified before this routine.  */
 944         in  = &ulpq->asoc->ssnmap->in;
 945 
 946         /* Is this an old SSN?  If so ignore. */
 947         if (SSN_lt(ssn, sctp_ssn_peek(in, sid)))
 948                 return;
 949 
 950         /* Mark that we are no longer expecting this SSN or lower. */
 951         sctp_ssn_skip(in, sid, ssn);

linux-2.6:include/net/sctp/structs.h:
 514 /* Skip over this ssn and all below. */
 515 static inline void sctp_ssn_skip(struct sctp_stream *stream, __u16 id,
 516                                  __u16 ssn)
 517 {
 518         stream->ssn[id] = ssn+1;
Comment 4 Neil Horman 2009-01-05 12:08:25 UTC 
Ack on the patch, I remember us looking at it when Wei posted it to the lksctp list
Comment 5 Eugene Teo (Security Response) 2009-01-06 05:26:22 UTC 
Created attachment 328250 [details]
Proposed realtime kernel patch

Luis, kindly review.
Comment 9 Dan Harkless 2009-01-07 03:02:14 UTC 
Is it possible to exploit this vulnerability by sending a malformed SCTP packet to a machine that's not actively using SCTP?
Comment 10 Eugene Teo (Security Response) 2009-01-08 03:22:58 UTC 
(In reply to comment #9)
> Is it possible to exploit this vulnerability by sending a malformed SCTP packet
> to a machine that's not actively using SCTP?

No. It is only possible if there is an association between SCTP endpoints.

Thanks, Eugene
Comment 12 errata-xmlrpc 2009-03-12 14:41:14 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:0331 http://rhn.redhat.com/errata/RHSA-2009:0331.html
Comment 21 Eugene Teo (Security Response) 2009-04-30 01:04:24 UTC 
Update:
A buffer overflow was found in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a remote denial of service or arbitrary code execution if a Forward-TSN chunk is received with a large stream ID. Note: an established connection between SCTP endpoints is necessary to exploit this vulnerability.

This issue has already been fixed in Red Hat Enterprise Linux 4, 5, and Red Hat Enterprise MRG, via the asynchronous security advisories RHSA-2009:0331, RHSA-2009:0264, and RHSA-2009:0053, respectively. Red Hat Enterprise Linux 2.1 and 3 are not affected. If the required updates are not installed, or if it is not possible to install at this time, the following workarounds can be used:

For users that run applications that use SCTP, the PR-SCTP extension is enabled in the kernel by default if the "sctp" loadable kernel module (LKM) is loaded. You can temporarily disable the PR-SCTP extension by running one of the following commands as the root user:

sysctl -w net.sctp.prsctp_enable=0

or

echo 0 > /proc/sys/net/sctp/prsctp_enable

To make permanent changes with these commands, refer to the following Knowledgebase article: http://kbase.redhat.com/faq/docs/DOC-9435

For users that do not run applications that use SCTP, you can prevent the "sctp" module from being loaded, by adding the following entry to the end of the "/etc/modprobe.d/blacklist" file:

blacklist sctp

This way, the "sctp" module cannot be loaded accidentally, which may occur if an application that requires SCTP is started. A reboot is not necessary for this change to take effect.
Comment 22 errata-xmlrpc 2009-05-20 01:10:14 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2009:1055 https://rhn.redhat.com/errata/RHSA-2009-1055.html
Comment 25 Vincent Danen 2010-12-21 17:56:50 UTC 
This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2009:0053)
Red Hat Enterprise Linux version 5 (RHSA-2009:0264)
Red Hat Enterprise Linux version 4 (RHSA-2009:0331)
Red Hat Enterprise Linux (v. 5.2.z server) (RHSA-2009:1055)