Description of problem: From source code file: net/sctp/socket.c [...] SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname, char __user *optval, int __user *optlen) { int retval = 0; int len; [...] if (get_user(len, optlen)) <-- [1] return -EFAULT; [...] case SCTP_HMAC_IDENT: retval = sctp_getsockopt_hmac_ident(sk, len, optval, optlen); <-- [2] break; [...] [1] The user controlled value of "optlen" is copied into "len" [2] "len" is used as a parameter for the function "sctp_getsockopt_hmac_ident()" {...] static int sctp_getsockopt_hmac_ident(struct sock *sk, int len, char __user *optval, int __user *optlen) { struct sctp_hmac_algo_param *hmacs; __u16 param_len; hmacs = sctp_sk(sk)->ep->auth_hmacs_list; <-- [3] param_len = ntohs(hmacs->param_hdr.length); <-- [4] if (len < param_len) <-- [5] return -EINVAL; if (put_user(len, optlen)) return -EFAULT; if (copy_to_user(optval, hmacs->hmac_ids, len)) <-- [6] return -EFAULT; return 0; } [...] If SCTP authentication is enabled (net.sctp.auth_enable=1): [3] "hmacs" gets a valid value [4] "param_len" gets a valid value [5] The length check can be easily passed as "len" is user controlled [6] "len" is a user controlled value, therefore it is possible to control the number of bytes that get copied back to the user As "len" isn't validated at all an unprivileged user can read arbitrary data from memory. References: http://trapkit.de/advisories/TKADV2008-007.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4113
Created attachment 327941 [details] Reproducer
This was addressed via: MRG Realtime for RHEL 5 Server (RHSA-2008:0857)