Bug 464514 - (CVE-2008-4113) CVE-2008-4113 kernel: sctp_getsockopt_hmac_ident information disclosure
CVE-2008-4113 kernel: sctp_getsockopt_hmac_ident information disclosure
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=netdev,report...
: Security
Depends On: 464515
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-29 10:24 EDT by Eugene Teo (Security Response)
Modified: 2010-12-21 12:43 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 12:43:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Reproducer (2.35 KB, text/plain)
2008-12-29 21:20 EST, Eugene Teo (Security Response)
no flags Details

  None (edit)
Description Eugene Teo (Security Response) 2008-09-29 10:24:13 EDT
Description of problem:
From source code file: net/sctp/socket.c

[...]
SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname,
				char __user *optval, int __user *optlen)
{
	int retval = 0;
	int len;
[...]
	if (get_user(len, optlen))  <-- [1]
		return -EFAULT;
[...]
	case SCTP_HMAC_IDENT:
		retval = sctp_getsockopt_hmac_ident(sk, len, optval, optlen);  <-- [2]
		break;
[...]

[1] The user controlled value of "optlen" is copied into "len"
[2] "len" is used as a parameter for the function 
    "sctp_getsockopt_hmac_ident()"

{...]
static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
				    char __user *optval, int __user *optlen)
{
	struct sctp_hmac_algo_param *hmacs;
	__u16 param_len;

	hmacs = sctp_sk(sk)->ep->auth_hmacs_list;  <-- [3]
	param_len = ntohs(hmacs->param_hdr.length); <-- [4]

	if (len < param_len)  <-- [5]
		return -EINVAL;
	if (put_user(len, optlen))
		return -EFAULT;
	if (copy_to_user(optval, hmacs->hmac_ids, len))  <-- [6]
		return -EFAULT;

	return 0;
}
[...]

If SCTP authentication is enabled (net.sctp.auth_enable=1):

[3] "hmacs" gets a valid value
[4] "param_len" gets a valid value
[5] The length check can be easily passed as "len" is user controlled
[6] "len" is a user controlled value, therefore it is possible to control 
    the number of bytes that get copied back to the user

As "len" isn't validated at all an unprivileged user can read arbitrary 
data from memory.

References:
http://trapkit.de/advisories/TKADV2008-007.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113
Comment 3 Eugene Teo (Security Response) 2008-12-29 21:20:01 EST
Created attachment 327941 [details]
Reproducer
Comment 4 Vincent Danen 2010-12-21 12:43:58 EST
This was addressed via:

MRG Realtime for RHEL 5 Server (RHSA-2008:0857)

Note You need to log in before you can comment on or make changes to this bug.