[CVE A/T] CVE-2018-1130 -- dccp oops

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[CVE A/T] CVE-2018-1130 -- dccp oops

Andy Whitcroft-3
CVE-2018-1130
    It was discovered that a null pointer dereference vulnerability
    existed in the DCCP protocol implementation in the Linux kernel. A
    local attacker could use this to cause a denial of service (system
    crash).

Following this email are patches for artful and trusty, they are both
clean cherry-picks but differ in context.

Proposing for SRU to artful/linux and trusty/linux.

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[artful/master-next 1/1] dccp: check sk for closed state in dccp_sendmsg()

Andy Whitcroft-3
From: Alexey Kodanev <[hidden email]>

dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().

This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.

Reported-by: [hidden email]
Signed-off-by: Alexey Kodanev <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>

(cherry picked from commit 67f93df79aeefc3add4e4b31a752600f834236e2)
CVE-2018-1130
Signed-off-by: Andy Whitcroft <[hidden email]>
---
 net/dccp/proto.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 9d43c1f40274..ff3b058cf58c 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -789,6 +789,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
  if (skb == NULL)
  goto out_release;
 
+ if (sk->sk_state == DCCP_CLOSED) {
+ rc = -ENOTCONN;
+ goto out_discard;
+ }
+
  skb_reserve(skb, sk->sk_prot->max_header);
  rc = memcpy_from_msg(skb_put(skb, len), msg, len);
  if (rc != 0)
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[trusty/master-next 1/1] dccp: check sk for closed state in dccp_sendmsg()

Andy Whitcroft-3
In reply to this post by Andy Whitcroft-3
From: Alexey Kodanev <[hidden email]>

dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().

This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.

Reported-by: [hidden email]
Signed-off-by: Alexey Kodanev <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>

(cherry picked from commit 67f93df79aeefc3add4e4b31a752600f834236e2)
CVE-2018-1130
Signed-off-by: Andy Whitcroft <[hidden email]>
---
 net/dccp/proto.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 8cfe2255f5e2..100676ab69ba 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -785,6 +785,11 @@ int dccp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
  if (skb == NULL)
  goto out_release;
 
+ if (sk->sk_state == DCCP_CLOSED) {
+ rc = -ENOTCONN;
+ goto out_discard;
+ }
+
  skb_reserve(skb, sk->sk_prot->max_header);
  rc = memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len);
  if (rc != 0)
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [CVE A/T] CVE-2018-1130 -- dccp oops

Evgenii Shatokhin
In reply to this post by Andy Whitcroft-3
Hi,

On 30.05.2018 13:20, Andy Whitcroft wrote:

> CVE-2018-1130
>      It was discovered that a null pointer dereference vulnerability
>      existed in the DCCP protocol implementation in the Linux kernel. A
>      local attacker could use this to cause a denial of service (system
>      crash).
>
> Following this email are patches for artful and trusty, they are both
> clean cherry-picks but differ in context.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
> -apw
>

Please consider backporting the following mainline commit as well:

commit 990ff4d84408fc55942ca6644f67e361737b3d8e
Author: Eric Dumazet <[hidden email]>
Date:   Thu Nov 3 08:59:46 2016 -0700

     ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped

If I understand it correctly, it is not present in Artful and Trusty.

Without it, the same reproducer program for CVE-2018-1130 (see
https://syzkaller.appspot.com/bug?id=833568de043e0909b2aeaef7be136db39d21ba94)
could make the kernel call the missing dccp_ipv6_mapped->bind_conflict()
callback, which would result in a crash.

I haven't tried the reproducer in Ubuntu yet, only in RHEL, but the
Ubuntu kernels might be affected too.

Regards,
Evgenii

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [CVE A/T] CVE-2018-1130 -- dccp oops

Kleber Sacilotto de Souza
On 05/30/18 04:46, Evgenii Shatokhin wrote:

> Hi,
>
> On 30.05.2018 13:20, Andy Whitcroft wrote:
>> CVE-2018-1130
>>      It was discovered that a null pointer dereference vulnerability
>>      existed in the DCCP protocol implementation in the Linux kernel. A
>>      local attacker could use this to cause a denial of service (system
>>      crash).
>>
>> Following this email are patches for artful and trusty, they are both
>> clean cherry-picks but differ in context.
>>
>> Proposing for SRU to artful/linux and trusty/linux.
>>
>> -apw
>>
>
> Please consider backporting the following mainline commit as well:
>
> commit 990ff4d84408fc55942ca6644f67e361737b3d8e
> Author: Eric Dumazet <[hidden email]>
> Date:   Thu Nov 3 08:59:46 2016 -0700
>
>     ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
>
> If I understand it correctly, it is not present in Artful and Trusty.
>
> Without it, the same reproducer program for CVE-2018-1130 (see
> https://syzkaller.appspot.com/bug?id=833568de043e0909b2aeaef7be136db39d21ba94)
> could make the kernel call the missing dccp_ipv6_mapped->bind_conflict()
> callback, which would result in a crash.
>
> I haven't tried the reproducer in Ubuntu yet, only in RHEL, but the
> Ubuntu kernels might be affected too.
>
> Regards,
> Evgenii
>

Hi Evgenii,

Thank you for pointing that out. Artful already carries that patch, but
it's missing for Trusty and I was able to hit the crash with the reproducer.


Thank you,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK/cmnt: [CVE A/T] CVE-2018-1130 -- dccp oops

Kleber Sacilotto de Souza
In reply to this post by Andy Whitcroft-3
On 05/30/18 03:20, Andy Whitcroft wrote:

> CVE-2018-1130
>     It was discovered that a null pointer dereference vulnerability
>     existed in the DCCP protocol implementation in the Linux kernel. A
>     local attacker could use this to cause a denial of service (system
>     crash).
>
> Following this email are patches for artful and trusty, they are both
> clean cherry-picks but differ in context.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
> -apw
>

Given that a backport of 990ff4d84408fc55942ca6644f67e361737b3d8e is
also submitted for Trusty:

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[CVE A/T v2] CVE-2018-1130 -- dccp oops

Andy Whitcroft-3
CVE-2018-1130
    It was discovered that a null pointer dereference vulnerability
    existed in the DCCP protocol implementation in the Linux kernel. A
    local attacker could use this to cause a denial of service (system
    crash).

Following this email are patch sets for artful and trusty, all patches
are clean cherry-picks.  For trusty there is a second fix also tickled
by the reproducer, the fix for this is already applied in artful.

Proposing for SRU to artful/linux and trusty/linux.

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[artful/master-next 1/1] dccp: check sk for closed state in dccp_sendmsg()

Andy Whitcroft-3
From: Alexey Kodanev <[hidden email]>

dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().

This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.

Reported-by: [hidden email]
Signed-off-by: Alexey Kodanev <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>

(cherry picked from commit 67f93df79aeefc3add4e4b31a752600f834236e2)
CVE-2018-1130
Signed-off-by: Andy Whitcroft <[hidden email]>
---
 net/dccp/proto.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 9d43c1f40274..ff3b058cf58c 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -789,6 +789,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
  if (skb == NULL)
  goto out_release;
 
+ if (sk->sk_state == DCCP_CLOSED) {
+ rc = -ENOTCONN;
+ goto out_discard;
+ }
+
  skb_reserve(skb, sk->sk_prot->max_header);
  rc = memcpy_from_msg(skb_put(skb, len), msg, len);
  if (rc != 0)
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[trusty/master-next 1/2] ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped

Andy Whitcroft-3
In reply to this post by Andy Whitcroft-3
From: Eric Dumazet <[hidden email]>

While fuzzing kernel with syzkaller, Andrey reported a nasty crash
in inet6_bind() caused by DCCP lacking a required method.

Fixes: ab1e0a13d7029 ("[SOCK] proto: Add hashinfo member to struct proto")
Signed-off-by: Eric Dumazet <[hidden email]>
Reported-by: Andrey Konovalov <[hidden email]>
Tested-by: Andrey Konovalov <[hidden email]>
Cc: Arnaldo Carvalho de Melo <[hidden email]>
Acked-by: Arnaldo Carvalho de Melo <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>

(cherry picked from commit 990ff4d84408fc55942ca6644f67e361737b3d8e)
CVE-2018-1130
Signed-off-by: Andy Whitcroft <[hidden email]>
---
 net/dccp/ipv6.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 9dacede72332..752317d1df39 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -1027,6 +1027,7 @@ static const struct inet_connection_sock_af_ops dccp_ipv6_mapped = {
  .getsockopt   = ipv6_getsockopt,
  .addr2sockaddr   = inet6_csk_addr2sockaddr,
  .sockaddr_len   = sizeof(struct sockaddr_in6),
+ .bind_conflict   = inet6_csk_bind_conflict,
 #ifdef CONFIG_COMPAT
  .compat_setsockopt = compat_ipv6_setsockopt,
  .compat_getsockopt = compat_ipv6_getsockopt,
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[trusty/master-next 2/2] dccp: check sk for closed state in dccp_sendmsg()

Andy Whitcroft-3
In reply to this post by Andy Whitcroft-3
From: Alexey Kodanev <[hidden email]>

dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().

This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.

Reported-by: [hidden email]
Signed-off-by: Alexey Kodanev <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>

(cherry picked from commit 67f93df79aeefc3add4e4b31a752600f834236e2)
CVE-2018-1130
Signed-off-by: Andy Whitcroft <[hidden email]>
---
 net/dccp/proto.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 8cfe2255f5e2..100676ab69ba 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -785,6 +785,11 @@ int dccp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
  if (skb == NULL)
  goto out_release;
 
+ if (sk->sk_state == DCCP_CLOSED) {
+ rc = -ENOTCONN;
+ goto out_discard;
+ }
+
  skb_reserve(skb, sk->sk_prot->max_header);
  rc = memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len);
  if (rc != 0)
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [CVE A/T v2] CVE-2018-1130 -- dccp oops

Kleber Sacilotto de Souza
In reply to this post by Andy Whitcroft-3
On 06/07/18 01:34, Andy Whitcroft wrote:

> CVE-2018-1130
>     It was discovered that a null pointer dereference vulnerability
>     existed in the DCCP protocol implementation in the Linux kernel. A
>     local attacker could use this to cause a denial of service (system
>     crash).
>
> Following this email are patch sets for artful and trusty, all patches
> are clean cherry-picks.  For trusty there is a second fix also tickled
> by the reproducer, the fix for this is already applied in artful.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
> -apw
>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [CVE A/T v2] CVE-2018-1130 -- dccp oops

Khaled Elmously
In reply to this post by Andy Whitcroft-3
On 2018-06-07 09:34:33 , Andy Whitcroft wrote:

> CVE-2018-1130
>     It was discovered that a null pointer dereference vulnerability
>     existed in the DCCP protocol implementation in the Linux kernel. A
>     local attacker could use this to cause a denial of service (system
>     crash).
>
> Following this email are patch sets for artful and trusty, all patches
> are clean cherry-picks.  For trusty there is a second fix also tickled
> by the reproducer, the fix for this is already applied in artful.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
Acked-by: Khalid Elmously <[hidden email]>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [CVE A/T v2] CVE-2018-1130 -- dccp oops

Khaled Elmously
In reply to this post by Andy Whitcroft-3
Applied to Trusty and Artful


On 2018-06-07 09:34:33 , Andy Whitcroft wrote:

> CVE-2018-1130
>     It was discovered that a null pointer dereference vulnerability
>     existed in the DCCP protocol implementation in the Linux kernel. A
>     local attacker could use this to cause a denial of service (system
>     crash).
>
> Following this email are patch sets for artful and trusty, all patches
> are clean cherry-picks.  For trusty there is a second fix also tickled
> by the reproducer, the fix for this is already applied in artful.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
> -apw
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team