Description of problem: Backport the feature length validation. Without this it's possible for rlen to ovelflow to 0, causing kmalloc(0), and a heap overflow during DCCP feature reconciliation. rlen = 1 + opt->dccpop_len; rpref = kmalloc(rlen, GFP_ATOMIC); memcpy(&rpref[1], opt->dccpop_val, opt->dccpop_len); Thanks to Brandon Edwards of McAfee Avert labs for discovering this issue. Impact: A vulnerability exists in the DCCP implementation which can be setup and exploited by a local attacker. The vulnerability is an integer overflow which leads to a kmalloc() for 0 bytes, followed by a memory copy into the returned pointer for 255 bytes, which causes a heap overflow. This type of vulnerability can be exploited by a local attacker to gain arbitrary code execution. Version-Release number of selected component (if applicable): 2.6.17 <= x <= 2.6.20 (See the timeline for more details) Additional information: This vulnerability affects the dccp kernel module (shipped as part of the RHEL kernel updates).
Proposed patch from the reporter: --- diff --git a/net/dccp/feat.c b/net/dccp/feat.c index a1b0682..aceb1db 100644 --- a/net/dccp/feat.c +++ b/net/dccp/feat.c @@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisock *dmsk, u8 type, u8 feature, dccp_pr_debug("feat change type=%d feat=%d\n", type, feature); + if (len > 3) { + if (net_ratelimit()) + printk("%s: invalid length %d\n", __func__, len); + return -EINVAL; + } /* XXX sanity check feat change request */ /* check if that feature is already being negotiated */
Public now, lifting embargo: http://lists.debian.org/debian-security-announce/2008/msg00172.html
This was addressed via: Red Hat Enterprise Linux version 5 (RHSA-2008:0519)