Bug 584645 - (CVE-2010-1173) CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet
CVE-2010-1173 kernel: sctp: crash due to malformed SCTPChunkInit packet
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=customer,repo...
: Security
: 584629 586631 (view as bug list)
Depends On: 584653 584654 584655 584656 584657 584658 584659 593537 593538 593539
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-22 01:39 EDT by Eugene Teo (Security Response)
Modified: 2015-08-19 04:45 EDT (History)
21 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-28 04:38:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch to pre-allocate error chunk w/ proper space (1.92 KB, patch)
2010-04-26 11:30 EDT, Neil Horman
no flags Details | Diff

  None (edit)
Description Eugene Teo (Security Response) 2010-04-22 01:39:14 EDT
Description of problem:
Reported by Nokia-CN-Flexi via Issue Tracker. A similar issue was reported by Jukka Taimisto and Olli Jarva from the CROSS open source testing project at Codenomicon Ltd. This was also reported by Windriver on behalf of their customer via vendor-sec.

Kernel crash occurs if sctp listening port receives malformatted init packet.

Its an skb_over_panic BUG halt that results from processing an init chunk in which too many of its variable length parameters are in some way malformed.

The problem is in sctp_process_unk_param:
if (NULL == *errp)
	*errp = sctp_make_op_error_space(asoc, chunk,
					 ntohs(chunk->chunk_hdr->length));

	if (*errp) {
		sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
				 WORD_ROUND(ntohs(param.p->length)));
		sctp_addto_chunk(*errp,
			WORD_ROUND(ntohs(param.p->length)),
				  param.v);

When we allocate an error chunk, we assume that the worst case scenario requires that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter.  Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.

This fix solves the problem by allowing our implementation to only report a
fixed number of errors.  When we encounter an error in parameter processing we
allocate a chunk that is min(asoc->pathmtu, SCTP_DEFAULT_MAXSEGMENT), limiting
our error reporting to a single mtu sized chunk.  Parameter errors that grow
beyond that value are discarded.

Acknowledgements:

Red Hat would like to thank Jukka Taimisto and Olli Jarva of Codenomicon Ltd, Nokia Siemens Networks, and Wind River on behalf of their customer, for reporting this issue.
Comment 18 Neil Horman 2010-04-26 11:30:18 EDT
Created attachment 409211 [details]
patch to pre-allocate error chunk w/ proper space

Heres the patch I've written.  It pre-allocates the error chunk assuming worst case conditions, which is that each parameter will be in error (requiring its own sctp errror header).
Comment 20 Eugene Teo (Security Response) 2010-04-28 02:02:29 EDT
*** Bug 586631 has been marked as a duplicate of this bug. ***
Comment 23 Eugene Teo (Security Response) 2010-04-28 20:46:40 EDT
Consider this public.

http://article.gmane.org/gmane.linux.network/159531
Comment 24 Eugene Teo (Security Response) 2010-04-30 01:20:21 EDT
Kbase: http://kbase.redhat.com/faq/docs/DOC-31052
Comment 25 J.H.M. Dassen (Ray) 2010-04-30 05:12:32 EDT
For completeness:

The patch that was committed to the upstream networking git:
	http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
It has been merged into the vanilla kernel git:
	http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=032b734d291e3532221b6cf7643a5f41c6261941
Comment 26 Eugene Teo (Security Response) 2010-05-03 21:40:46 EDT
(In reply to comment #25)
> For completeness:
> 
> The patch that was committed to the upstream networking git:
> 
> http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
> It has been merged into the vanilla kernel git:
> 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=032b734d291e3532221b6cf7643a5f41c6261941    

^^ AFAICS, it's not fixed in upstream yet.
Comment 27 Neil Horman 2010-05-04 20:28:33 EDT
What are you talking about, eugene?  I sent the patch up, & it went into net-2.6.  you were copied on the mail, and have the commit above.
Comment 28 Eugene Teo (Security Response) 2010-05-04 21:34:37 EDT
(In reply to comment #27)
> What are you talking about, eugene?  I sent the patch up, & it went into
> net-2.6.  you were copied on the mail, and have the commit above.    

but not into linux-2.6 yet. But I guess it will be committed there eventually.
Comment 29 Eugene Teo (Security Response) 2010-05-09 05:18:25 EDT
(In reply to comment #28)
> (In reply to comment #27)
> > What are you talking about, eugene?  I sent the patch up, & it went into
> > net-2.6.  you were copied on the mail, and have the commit above.    
> 
> but not into linux-2.6 yet. But I guess it will be committed there eventually.    

It is now.

Upstream commit:
http://git.kernel.org/linus/5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
Comment 30 Eugene Teo (Security Response) 2010-05-13 04:06:41 EDT
We will need this patch too: http://marc.info/?l=linux-sctp&m=127372809930656&w=2

commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
  sctp: Fix skb_over_panic resulting from multiple invalid \
    parameter errors (CVE-2010-1173) (v4)

cause 'error cause' never be add the the ERROR chunk due to
some typo when check valid length in sctp_init_cause_fixed().
Comment 32 Eugene Teo (Security Response) 2010-05-19 12:34:21 EDT
Statement:

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/CVE-2010-1173.

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for SCTP. Future kernel updates in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG may address this flaw.

For more information, please see http://kbase.redhat.com/faq/docs/DOC-31052.
Comment 36 errata-xmlrpc 2010-06-15 19:53:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0474 https://rhn.redhat.com/errata/RHSA-2010-0474.html
Comment 37 errata-xmlrpc 2010-07-01 14:27:32 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0504 https://rhn.redhat.com/errata/RHSA-2010-0504.html
Comment 40 Chuck Ebbert 2010-08-01 19:16:36 EDT
The fix is in upstream release kernels 2.6.34, 2.6.33.6 and 2.6.32.16
Comment 42 errata-xmlrpc 2010-08-17 11:52:36 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html
Comment 43 John Kacur 2010-09-06 08:53:48 EDT
This issue has been addressed in mrg1-3

Note You need to log in before you can comment on or make changes to this bug.