CVE-2014-7841 sctp: NULL ptr deref on malformed packet (rhbz 1163087 1163095)
This commit is contained in:
Josh Boyer
parent
d74e638376
commit
b3a8f8f907
@ -619,6 +619,9 @@ Patch26065: sched-Remove-lockdep-check-in-sched_move_task.patch
|
||||
#rhbz 1161805
|
||||
Patch26066: ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
|
||||
|
||||
#CVE-2014-7841 rhbz 1163087 1163095
|
||||
Patch26067: net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
|
||||
|
||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||
Patch30000: kernel-arm64.patch
|
||||
|
||||
@ -1347,6 +1350,9 @@ ApplyPatch sched-Remove-lockdep-check-in-sched_move_task.patch
|
||||
#rhbz 1161805
|
||||
ApplyPatch ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch
|
||||
|
||||
#CVE-2014-7841 rhbz 1163087 1163095
|
||||
ApplyPatch net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
@ -2215,6 +2221,9 @@ fi
|
||||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Wed Nov 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-7841 sctp: NULL ptr deref on malformed packet (rhbz 1163087 1163095)
|
||||
|
||||
* Tue Nov 11 2014 Kyle McMartin <kyle@fedoraproject.org> - 3.18.0-0.rc4.git0.2
|
||||
- Re-enable kernel-arm64.patch, and fix up merge conflicts with 3.18-rc4
|
||||
|
||||
|
||||
77
net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
Normal file
77
net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
Normal file
@ -0,0 +1,77 @@
|
||||
From: Daniel Borkmann <dborkman@redhat.com>
|
||||
Date: Mon, 10 Nov 2014 17:54:26 +0100
|
||||
Subject: [PATCH] net: sctp: fix NULL pointer dereference in
|
||||
af->from_addr_param on malformed packet
|
||||
|
||||
An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
|
||||
in the form of:
|
||||
|
||||
------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
|
||||
|
||||
While the INIT chunk parameter verification dissects through many things
|
||||
in order to detect malformed input, it misses to actually check parameters
|
||||
inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
|
||||
IP address' parameter in ASCONF, which has as a subparameter an address
|
||||
parameter.
|
||||
|
||||
So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
|
||||
or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
|
||||
and thus sctp_get_af_specific() returns NULL, too, which we then happily
|
||||
dereference unconditionally through af->from_addr_param().
|
||||
|
||||
The trace for the log:
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
|
||||
IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
|
||||
PGD 0
|
||||
Oops: 0000 [#1] SMP
|
||||
[...]
|
||||
Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
|
||||
RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
|
||||
[...]
|
||||
Call Trace:
|
||||
<IRQ>
|
||||
[<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
|
||||
[<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
|
||||
[<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
|
||||
[<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
|
||||
[<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
|
||||
[<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
|
||||
[<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
|
||||
[<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
|
||||
[<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
|
||||
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
|
||||
[<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
|
||||
[<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
|
||||
[...]
|
||||
|
||||
A minimal way to address this is to check for NULL as we do on all
|
||||
other such occasions where we know sctp_get_af_specific() could
|
||||
possibly return with NULL.
|
||||
|
||||
Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
|
||||
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
||||
Cc: Vlad Yasevich <vyasevich@gmail.com>
|
||||
Acked-by: Neil Horman <nhorman@tuxdriver.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/sctp/sm_make_chunk.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
|
||||
index ab734be8cb20..9f32741abb1c 100644
|
||||
--- a/net/sctp/sm_make_chunk.c
|
||||
+++ b/net/sctp/sm_make_chunk.c
|
||||
@@ -2609,6 +2609,9 @@ do_addr_param:
|
||||
addr_param = param.v + sizeof(sctp_addip_param_t);
|
||||
|
||||
af = sctp_get_af_specific(param_type2af(param.p->type));
|
||||
+ if (af == NULL)
|
||||
+ break;
|
||||
+
|
||||
af->from_addr_param(&addr, addr_param,
|
||||
htons(asoc->peer.port), 0);
|
||||
|
||||
--
|
||||
1.9.3
|
||||
|
||||
Loading…
Reference in New Issue
Block a user