Bug 404291 - (CVE-2007-6282) CVE-2007-6282 IPSec ESP kernel panics
CVE-2007-6282 IPSec ESP kernel panics
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
Martin Jenner
impact=important,public=20080222,repo...
: Security
Depends On: 427245 427246 427247 427248 453136
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-29 06:50 EST by Dirk Nehring
Modified: 2010-10-11 15:17 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-11 15:17:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Example panic from a VM (happens also with physically machines!!!) (8.79 KB, text/plain)
2007-11-29 06:50 EST, Dirk Nehring
no flags Details
patch as merged upstream (1.44 KB, patch)
2008-03-27 19:22 EDT, Thomas Graf
no flags Details | Diff

  None (edit)
Description Dirk Nehring 2007-11-29 06:50:06 EST
Description of problem:
We find out that various kernel versions (2.6.18-xxx) does crash with IPSec. 
This situation occurs with special clients (netscreen firewall, Cisco PIX) and 
can repoduced on various platforms. We have an example stacktrace here.

The bug is located in the kernel, not in the tools. We exchange the ipsec-
tools, no change.

Version-Release number of selected component (if applicable):
2.6.18-x (all versions)

How reproducible:
Very difficult, since it only occurs after some time (30min - 3 days) and only 
with netscreen firewalls or Cisco PIX.

Steps to Reproduce:
1. Using ipsec-tools and configure tunnels
2. wait...
3.
  
Actual results:


Expected results:


Additional info:

I have also a compressed crashdump if anyone need (18 MB compressed...)
Comment 1 Dirk Nehring 2007-11-29 06:50:06 EST
Created attachment 272881 [details]
Example panic from a VM (happens also with physically machines!!!)
Comment 3 Dirk Nehring 2007-12-14 14:48:49 EST
It turns out that this bug is a crasher FOR ALL 2.6.x kernel, including all
RHEL, Fedora, and pristine kernels! Herbert was informed via security@kernel.org
about this bug, it is a fragmentation problem (if the ESP header is fragmented
before the iv ends, BUG() is called).

Here is the fix:

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 1738113..0f307f1 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -165,7 +165,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
        int padlen;
        int err;

-       if (!pskb_may_pull(skb, sizeof(*esph)))
+       if (!pskb_may_pull(skb, sizeof(*esph) + esp->conf.ivlen))
                goto out;

        if (elen <= 0 || (elen & (blksize-1)))
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 4440532..d993fa0 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -155,7 +155,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
        int nfrags;
        int ret = 0;

-       if (!pskb_may_pull(skb, sizeof(*esph))) {
+       if (!pskb_may_pull(skb, sizeof(*esph) + esp->conf.ivlen)) {
                ret = -EINVAL;
                goto out;
        }

My collegue Andreas Ferber is currently writing a CVS, CVE-2007-6282.

Comment 6 Dirk Nehring 2008-03-26 16:34:01 EDT
Hi,

any updates on this issue? Without this patch, every 2.6 kernel can crash with 
only one fragmented packet.

Dirk
Comment 8 Thomas Graf 2008-03-27 19:21:19 EDT
Hi Dirk,

Sorry for the delay and thanks for the ping. I've just posted an updated patch
to netdev again a few minutes ago and davem already merged it. It seems that the
original patch posted earlier did not apply as the new aead interface changed
how the ivsize is accessed. Somehow updating the patch to use the new interface
got lost in the cracks.

Muchas gracias again.
Comment 9 Thomas Graf 2008-03-27 19:22:31 EDT
Created attachment 299408 [details]
patch as merged upstream
Comment 13 Paul Wouters 2008-05-27 14:52:15 EDT
I am hearing a report that this patch breaks ESP when used with openswan.
Comment 14 Paul Wouters 2008-05-27 16:06:44 EDT
It seems the report was made on a kernel < 2.6.18-92.el5. This version
reportedly works fine.
Comment 15 Yan Li 2008-05-29 09:17:34 EDT
(In reply to comment #13)
> I am hearing a report that this patch breaks ESP when used with openswan.

This maybe true here. After upgraded to 2.6.18-53.1.21.el5, the AT&T Global
Network Client (mtsconnect - version 0.4 2004/08/24) broke on my machine. It
uses IPsec to set up a VPN to connect to corporate intranet.

I've to rollback to 2.6.18-53.1.19.el5 for this. Hope this can be fixed. If
there's anything I can help (testing or patch shooting, etc) please let me know.
Thanks!
Comment 16 Dirk Nehring 2008-05-29 09:36:27 EDT
Same for us, we switched yesterday to the new version and our racoon IPsec-
tunnels break! Currently we switched from .21 to .19, which works flawlessly.
Comment 17 Tomas Hoger 2008-06-09 09:32:07 EDT
Regression for Red Hat Enterprise Linux 5 was resolved in the RHEL 5.2 kernel
packages kernel-2.6.18-92.el5 and later.
Comment 19 Dirk Nehring 2008-06-27 11:21:59 EDT
I can confirm that 2.6.18-92.el5 works.

Note You need to log in before you can comment on or make changes to this bug.