Bug 584645 (CVE-2010-1173) - CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet
Summary: CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet
Status: CLOSED ERRATA
Alias: CVE-2010-1173
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,source=customer,repo...
Keywords: Security
: 584629 586631 (view as bug list)
Depends On: 584653 584654 584655 584656 584657 584658 584659 593537 593538 593539
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-22 05:39 UTC by Eugene Teo (Security Response)
Modified: 2018-10-27 14:52 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-28 08:38:18 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to pre-allocate error chunk w/ proper space (1.92 KB, patch)
2010-04-26 15:30 UTC, Neil Horman
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0474 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-06-15 23:53:35 UTC
Red Hat Product Errata RHSA-2010:0504 normal SHIPPED_LIVE Important: kernel security and bug fix update 2010-07-01 18:26:58 UTC
Red Hat Product Errata RHSA-2010:0631 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2010-08-18 07:58:39 UTC

Description Eugene Teo (Security Response) 2010-04-22 05:39:14 UTC
Description of problem:
Reported by Nokia-CN-Flexi via Issue Tracker. A similar issue was reported by Jukka Taimisto and Olli Jarva from the CROSS open source testing project at Codenomicon Ltd. This was also reported by Windriver on behalf of their customer via vendor-sec.

Kernel crash occurs if sctp listening port receives malformatted init packet.

Its an skb_over_panic BUG halt that results from processing an init chunk in which too many of its variable length parameters are in some way malformed.

The problem is in sctp_process_unk_param:
if (NULL == *errp)
	*errp = sctp_make_op_error_space(asoc, chunk,
					 ntohs(chunk->chunk_hdr->length));

	if (*errp) {
		sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
				 WORD_ROUND(ntohs(param.p->length)));
		sctp_addto_chunk(*errp,
			WORD_ROUND(ntohs(param.p->length)),
				  param.v);

When we allocate an error chunk, we assume that the worst case scenario requires that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter.  Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.

This fix solves the problem by allowing our implementation to only report a
fixed number of errors.  When we encounter an error in parameter processing we
allocate a chunk that is min(asoc->pathmtu, SCTP_DEFAULT_MAXSEGMENT), limiting
our error reporting to a single mtu sized chunk.  Parameter errors that grow
beyond that value are discarded.

Acknowledgements:

Red Hat would like to thank Jukka Taimisto and Olli Jarva of Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their customer, for reporting this issue.

Comment 18 Neil Horman 2010-04-26 15:30:18 UTC
Created attachment 409211 [details]
patch to pre-allocate error chunk w/ proper space

Heres the patch I've written.  It pre-allocates the error chunk assuming worst case conditions, which is that each parameter will be in error (requiring its own sctp errror header).

Comment 20 Eugene Teo (Security Response) 2010-04-28 06:02:29 UTC
*** Bug 586631 has been marked as a duplicate of this bug. ***

Comment 23 Eugene Teo (Security Response) 2010-04-29 00:46:40 UTC
Consider this public.

http://article.gmane.org/gmane.linux.network/159531

Comment 24 Eugene Teo (Security Response) 2010-04-30 05:20:21 UTC
Kbase: http://kbase.redhat.com/faq/docs/DOC-31052

Comment 25 J.H.M. Dassen (Ray) 2010-04-30 09:12:32 UTC
For completeness:

The patch that was committed to the upstream networking git:
	http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
It has been merged into the vanilla kernel git:
	http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=032b734d291e3532221b6cf7643a5f41c6261941

Comment 26 Eugene Teo (Security Response) 2010-05-04 01:40:46 UTC
(In reply to comment #25)
> For completeness:
> 
> The patch that was committed to the upstream networking git:
> 
> http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
> It has been merged into the vanilla kernel git:
> 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=032b734d291e3532221b6cf7643a5f41c6261941    

^^ AFAICS, it's not fixed in upstream yet.

Comment 27 Neil Horman 2010-05-05 00:28:33 UTC
What are you talking about, eugene?  I sent the patch up, & it went into net-2.6.  you were copied on the mail, and have the commit above.

Comment 28 Eugene Teo (Security Response) 2010-05-05 01:34:37 UTC
(In reply to comment #27)
> What are you talking about, eugene?  I sent the patch up, & it went into
> net-2.6.  you were copied on the mail, and have the commit above.    

but not into linux-2.6 yet. But I guess it will be committed there eventually.

Comment 29 Eugene Teo (Security Response) 2010-05-09 09:18:25 UTC
(In reply to comment #28)
> (In reply to comment #27)
> > What are you talking about, eugene?  I sent the patch up, & it went into
> > net-2.6.  you were copied on the mail, and have the commit above.    
> 
> but not into linux-2.6 yet. But I guess it will be committed there eventually.    

It is now.

Upstream commit:
http://git.kernel.org/linus/5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809

Comment 30 Eugene Teo (Security Response) 2010-05-13 08:06:41 UTC
We will need this patch too: http://marc.info/?l=linux-sctp&m=127372809930656&w=2

commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
  sctp: Fix skb_over_panic resulting from multiple invalid \
    parameter errors (CVE-2010-1173) (v4)

cause 'error cause' never be add the the ERROR chunk due to
some typo when check valid length in sctp_init_cause_fixed().

Comment 32 Eugene Teo (Security Response) 2010-05-19 16:34:21 UTC
Statement:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-1173.

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for SCTP. Future kernel updates in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG may address this flaw.

For more information, please see http://kbase.redhat.com/faq/docs/DOC-31052.

Comment 36 errata-xmlrpc 2010-06-15 23:53:57 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0474 https://rhn.redhat.com/errata/RHSA-2010-0474.html

Comment 37 errata-xmlrpc 2010-07-01 18:27:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0504 https://rhn.redhat.com/errata/RHSA-2010-0504.html

Comment 40 Chuck Ebbert 2010-08-01 23:16:36 UTC
The fix is in upstream release kernels 2.6.34, 2.6.33.6 and 2.6.32.16

Comment 42 errata-xmlrpc 2010-08-17 15:52:36 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html

Comment 43 John Kacur 2010-09-06 12:53:48 UTC
This issue has been addressed in mrg1-3


Note You need to log in before you can comment on or make changes to this bug.