Description of problem: Reported by Nokia-CN-Flexi via Issue Tracker. A similar issue was reported by Jukka Taimisto and Olli Jarva from the CROSS open source testing project at Codenomicon Ltd. This was also reported by Windriver on behalf of their customer via vendor-sec. Kernel crash occurs if sctp listening port receives malformatted init packet. Its an skb_over_panic BUG halt that results from processing an init chunk in which too many of its variable length parameters are in some way malformed. The problem is in sctp_process_unk_param: if (NULL == *errp) *errp = sctp_make_op_error_space(asoc, chunk, ntohs(chunk->chunk_hdr->length)); if (*errp) { sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM, WORD_ROUND(ntohs(param.p->length))); sctp_addto_chunk(*errp, WORD_ROUND(ntohs(param.p->length)), param.v); When we allocate an error chunk, we assume that the worst case scenario requires that we have chunk_hdr->length data allocated, which would be correct nominally, given that we call sctp_addto_chunk for the violating parameter. Unfortunately, we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error chunk, so the worst case situation in which all parameters are in violation requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data. This fix solves the problem by allowing our implementation to only report a fixed number of errors. When we encounter an error in parameter processing we allocate a chunk that is min(asoc->pathmtu, SCTP_DEFAULT_MAXSEGMENT), limiting our error reporting to a single mtu sized chunk. Parameter errors that grow beyond that value are discarded.
Created attachment 409211 [details] patch to pre-allocate error chunk w/ proper space Heres the patch I've written. It pre-allocates the error chunk assuming worst case conditions, which is that each parameter will be in error (requiring its own sctp errror header).
*** Bug 586631 has been marked as a duplicate of this bug. ***
Consider this public. http://article.gmane.org/gmane.linux.network/159531
Kbase: http://kbase.redhat.com/faq/docs/DOC-31052
For completeness: The patch that was committed to the upstream networking git: http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 It has been merged into the vanilla kernel git: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=032b734d291e3532221b6cf7643a5f41c6261941
(In reply to comment #25) > For completeness: > > The patch that was committed to the upstream networking git: > > http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 > It has been merged into the vanilla kernel git: > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=032b734d291e3532221b6cf7643a5f41c6261941 ^^ AFAICS, it's not fixed in upstream yet.
What are you talking about, eugene? I sent the patch up, & it went into net-2.6. you were copied on the mail, and have the commit above.
(In reply to comment #27) > What are you talking about, eugene? I sent the patch up, & it went into > net-2.6. you were copied on the mail, and have the commit above. but not into linux-2.6 yet. But I guess it will be committed there eventually.
(In reply to comment #28) > (In reply to comment #27) > > What are you talking about, eugene? I sent the patch up, & it went into > > net-2.6. you were copied on the mail, and have the commit above. > > but not into linux-2.6 yet. But I guess it will be committed there eventually. It is now. Upstream commit: http://git.kernel.org/linus/5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
We will need this patch too: http://marc.info/?l=linux-sctp&m=127372809930656&w=2 commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 sctp: Fix skb_over_panic resulting from multiple invalid \ parameter errors (CVE-2010-1173) (v4) cause 'error cause' never be add the the ERROR chunk due to some typo when check valid length in sctp_init_cause_fixed().
Statement: Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2010-1173. This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 3 as it did not include support for SCTP. Future kernel updates in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG may address this flaw. For more information, please see http://kbase.redhat.com/faq/docs/DOC-31052.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0474 https://rhn.redhat.com/errata/RHSA-2010-0474.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0504 https://rhn.redhat.com/errata/RHSA-2010-0504.html
The fix is in upstream release kernels 2.6.34, 2.6.33.6 and 2.6.32.16
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0631 https://rhn.redhat.com/errata/RHSA-2010-0631.html
This issue has been addressed in mrg1-3