Bug 522331 (CVE-2009-2903)

Summary: CVE-2009-2903 kernel: appletalk: denial of service when handling IP tunnelled over DDP datagrams
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acme, bhu, davej, davem, dhoward, jlieskov, kyle, lgoncalv, lwang, pmatouse, rcvalle, security-response-team, tcallawa, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 08:10:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 522344, 522345    
Bug Blocks:    

Description Eugene Teo (Security Response) 2009-09-10 05:46:11 UTC 
Reported by Mark Smith:
When the handle_ip_over_ddp() function checks for the "ipddp0" device and the device is not found, the function does not free the socket buffer structure (skb), leading to a memory leak. This only happens if you have the appletalk module loaded, but not the ipddp module, as this only happens when the "ipddp0" device does not exist.

For details see http://kbase.redhat.com/faq/docs/DOC-19077.

Analysis:
call path: ltalk_rcv -> atalk_rcv -> handle_ip_over_ddp

net/appletalk/ddp.c:
1382 /**
1383  *  atalk_rcv - Receive a packet (in skb) from device dev
1384  *  @skb - packet received
1385  *  @dev - network device where the packet comes from
1386  *  @pt - packet type
1387  *
1388  *  Receive a packet (in skb) from device dev. This has come from the SNAP
1389  *  decoder, and on entry skb->transport_header is the DDP header, skb->len
1390  *  is the DDP header, skb->len is the DDP length. The physical headers
1391  *  have been extracted. PPP should probably pass frames marked as for this
1392  *  layer.  [ie ARPHRD_ETHERTALK]
1393  */
1394 static int atalk_rcv(struct sk_buff *skb, struct net_device *dev,
1395              struct packet_type *pt, struct net_device *orig_dev)
1396 {
[...]
1456     /* if IP over DDP is not selected this code will be optimized out */
1457     if (is_ip_over_ddp(skb))
1458         return handle_ip_over_ddp(skb);

1267 static int handle_ip_over_ddp(struct sk_buff *skb)
1268 {
1269     struct net_device *dev = __dev_get_by_name(&init_net, "ipddp0");
1270     struct net_device_stats *stats;
1271 
1272     /* This needs to be able to handle ipddp"N" devices */
1273     if (!dev)
1274         return -ENODEV; <-- did not call kfree_skb(skb) when the ipddp
                                 module is not loaded, and thus the device does
                                 not exist.

Also in linux-2.4.37.y:
   1360 /*
   1361  * Receive a packet (in skb) from device dev. This has come from the SNAP
   1362  * decoder, and on entry skb->h.raw is the DDP header, skb->len is the DDP
   1363  * header, skb->len is the DDP length. The physical headers have been
   1364  * extracted. PPP should probably pass frames marked as for this layer.
   1365  * [ie ARPHRD_ETHERTALK]
   1366  */
   1367 static int atalk_rcv(struct sk_buff *skb, struct net_device *dev,
   1368                         struct packet_type *pt)
   1369 {
[...]
   1496 #if defined(CONFIG_IPDDP) || defined(CONFIG_IPDDP_MODULE)
   1497         /* Check if IP-over-DDP */
   1498         if (skb->data[12] == 22) {
   1499                 struct net_device *dev = __dev_get_by_name("ipddp0");
   1500                 struct net_device_stats *stats;
   1501 
   1502                 /* This needs to be able to handle ipddp"N" devices */
   1503                 if (!dev)
   1504                         return -ENODEV; <-- did not call kfree_skb too
[...]
   1536 freeit: kfree_skb(skb);
   1537 out:    return 0;
   1538 }

The patch also improved the aarp_send_ddp() function so that it handles failures and frees up of skb properly, rather than depending it on the caller.
Comment 3 Eugene Teo (Security Response) 2009-09-10 06:16:52 UTC 
This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and 5, as the affected driver is not enabled in these kernels. The affected driver is available in Red Hat Enterprise MRG. It is also available in Red Hat Enterprise Linux 3, but only if the kernel-unsupported package is installed. Future kernel updates in Red Hat Enterprise Linux 3 and Red Hat Enterprise MRG may address this issue.

Before updates are applied, it is possible to reduce the risk and mitigate this flaw by:

* ensuring that both the appletalk and the ipddp modules are loaded, and remain loaded. The "ipddp0" device is automatically created by the ipddp module, causing the packets to be forwarded onto the IP protocol handling code, and thus avoiding the vulnerability as it only happens when this device does not exist.

or

* disabling the appletalk module, and ensuring that it cannot be loaded.

The steps outlined below will not work if the module is already loaded. If the module is loaded and cannot be removed, for example, via "modprobe -r", a reboot will be required before the change takes effect.

The "install" command is used to direct the system to run the "/bin/true" command instead of inserting the module if it is called.

Red Hat Enterprise Linux 3
Add the following entry to the end of the /etc/modules.conf file:
install appletalk /bin/true

Note: The kernel-unsupported package provides the appletalk module. This module is not available if you do not have kernel-unsupported installed.

Red Hat Enterprise MRG
Add the following entry to the end of the /etc/modprobe.conf file: 
install appletalk /bin/true

Updated: Sept 17th, 2009
Comment 6 Eugene Teo (Security Response) 2009-09-14 00:38:03 UTC 
Upstream commit:
http://git.kernel.org/linus/ffcfb8db540ff879c2a85bf7e404954281443414

CVE request:
http://article.gmane.org/gmane.comp.security.oss.general/2100

Note, the next kernel update for Red Hat Enterprise MRG will not have support for the AppleTalk protocol. See bug 522503.
Comment 11 Fedora Update System 2009-10-02 11:00:15 UTC 
kernel-2.6.27.35-170.2.94.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/kernel-2.6.27.35-170.2.94.fc10
Comment 12 Fedora Update System 2009-10-03 18:55:53 UTC 
kernel-2.6.27.35-170.2.94.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-10-18 01:57:21 UTC 
kernel-2.6.30.9-90.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kernel-2.6.30.9-90.fc11
Comment 14 Fedora Update System 2009-10-27 06:47:25 UTC 
kernel-2.6.30.9-90.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.