Bug 404291 (CVE-2007-6282) - CVE-2007-6282 IPSec ESP kernel panics
Summary: CVE-2007-6282 IPSec ESP kernel panics
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-6282
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Martin Jenner
URL:
Whiteboard:
Depends On: 427245 427246 427247 427248 453136
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-29 11:50 UTC by Dirk Nehring
Modified: 2019-09-29 12:22 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-10-11 19:17:48 UTC
Embargoed:


Attachments (Terms of Use)
Example panic from a VM (happens also with physically machines!!!) (8.79 KB, text/plain)
2007-11-29 11:50 UTC, Dirk Nehring
no flags Details
patch as merged upstream (1.44 KB, patch)
2008-03-27 23:22 UTC, Thomas Graf
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0237 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-05-07 07:28:59 UTC
Red Hat Product Errata RHSA-2008:0275 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-05-20 09:58:29 UTC
Red Hat Product Errata RHSA-2008:0585 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-08-26 19:56:57 UTC

Description Dirk Nehring 2007-11-29 11:50:06 UTC
Description of problem:
We find out that various kernel versions (2.6.18-xxx) does crash with IPSec. 
This situation occurs with special clients (netscreen firewall, Cisco PIX) and 
can repoduced on various platforms. We have an example stacktrace here.

The bug is located in the kernel, not in the tools. We exchange the ipsec-
tools, no change.

Version-Release number of selected component (if applicable):
2.6.18-x (all versions)

How reproducible:
Very difficult, since it only occurs after some time (30min - 3 days) and only 
with netscreen firewalls or Cisco PIX.

Steps to Reproduce:
1. Using ipsec-tools and configure tunnels
2. wait...
3.
  
Actual results:


Expected results:


Additional info:

I have also a compressed crashdump if anyone need (18 MB compressed...)

Comment 1 Dirk Nehring 2007-11-29 11:50:06 UTC
Created attachment 272881 [details]
Example panic from a VM (happens also with physically machines!!!)

Comment 3 Dirk Nehring 2007-12-14 19:48:49 UTC
It turns out that this bug is a crasher FOR ALL 2.6.x kernel, including all
RHEL, Fedora, and pristine kernels! Herbert was informed via security
about this bug, it is a fragmentation problem (if the ESP header is fragmented
before the iv ends, BUG() is called).

Here is the fix:

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 1738113..0f307f1 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -165,7 +165,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
        int padlen;
        int err;

-       if (!pskb_may_pull(skb, sizeof(*esph)))
+       if (!pskb_may_pull(skb, sizeof(*esph) + esp->conf.ivlen))
                goto out;

        if (elen <= 0 || (elen & (blksize-1)))
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 4440532..d993fa0 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -155,7 +155,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
        int nfrags;
        int ret = 0;

-       if (!pskb_may_pull(skb, sizeof(*esph))) {
+       if (!pskb_may_pull(skb, sizeof(*esph) + esp->conf.ivlen)) {
                ret = -EINVAL;
                goto out;
        }

My collegue Andreas Ferber is currently writing a CVS, CVE-2007-6282.



Comment 6 Dirk Nehring 2008-03-26 20:34:01 UTC
Hi,

any updates on this issue? Without this patch, every 2.6 kernel can crash with 
only one fragmented packet.

Dirk

Comment 8 Thomas Graf 2008-03-27 23:21:19 UTC
Hi Dirk,

Sorry for the delay and thanks for the ping. I've just posted an updated patch
to netdev again a few minutes ago and davem already merged it. It seems that the
original patch posted earlier did not apply as the new aead interface changed
how the ivsize is accessed. Somehow updating the patch to use the new interface
got lost in the cracks.

Muchas gracias again.

Comment 9 Thomas Graf 2008-03-27 23:22:31 UTC
Created attachment 299408 [details]
patch as merged upstream

Comment 13 Paul Wouters 2008-05-27 18:52:15 UTC
I am hearing a report that this patch breaks ESP when used with openswan.

Comment 14 Paul Wouters 2008-05-27 20:06:44 UTC
It seems the report was made on a kernel < 2.6.18-92.el5. This version
reportedly works fine.

Comment 15 Yan Li 2008-05-29 13:17:34 UTC
(In reply to comment #13)
> I am hearing a report that this patch breaks ESP when used with openswan.

This maybe true here. After upgraded to 2.6.18-53.1.21.el5, the AT&T Global
Network Client (mtsconnect - version 0.4 2004/08/24) broke on my machine. It
uses IPsec to set up a VPN to connect to corporate intranet.

I've to rollback to 2.6.18-53.1.19.el5 for this. Hope this can be fixed. If
there's anything I can help (testing or patch shooting, etc) please let me know.
Thanks!

Comment 16 Dirk Nehring 2008-05-29 13:36:27 UTC
Same for us, we switched yesterday to the new version and our racoon IPsec-
tunnels break! Currently we switched from .21 to .19, which works flawlessly.

Comment 17 Tomas Hoger 2008-06-09 13:32:07 UTC
Regression for Red Hat Enterprise Linux 5 was resolved in the RHEL 5.2 kernel
packages kernel-2.6.18-92.el5 and later.

Comment 19 Dirk Nehring 2008-06-27 15:21:59 UTC
I can confirm that 2.6.18-92.el5 works.


Note You need to log in before you can comment on or make changes to this bug.