[CVE artful/linux trusty/linux CVE-2018-5803] SCTP DOS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[CVE artful/linux trusty/linux CVE-2018-5803] SCTP DOS

Andy Whitcroft-3
CVE-2018-5803:
        It was discovered that the SCTP Protocol implementation in
        the Linux kernel did not properly validate userspace provided
        payload lengths in some situations. A local attacker could
        use this to cause a denial of service (system crash).

Following this email are patches for artful/linux (a cherry-pick) and
trusty/linux (a backport).  Other series have received this fix via
upstream and stables.

Proposing for SRU to artful/linux and trusty/linux.

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[artful/linux 1/1] sctp: verify size of a new chunk in _sctp_make_chunk()

Andy Whitcroft-3
From: Alexey Kodanev <[hidden email]>

When SCTP makes INIT or INIT_ACK packet the total chunk length
can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
transmitting these packets, e.g. the crash on sending INIT_ACK:

[  597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168
               put:120156 head:000000007aa47635 data:00000000d991c2de
               tail:0x1d640 end:0xfec0 dev:<NULL>
...
[  597.976970] ------------[ cut here ]------------
[  598.033408] kernel BUG at net/core/skbuff.c:104!
[  600.314841] Call Trace:
[  600.345829]  <IRQ>
[  600.371639]  ? sctp_packet_transmit+0x2095/0x26d0 [sctp]
[  600.436934]  skb_put+0x16c/0x200
[  600.477295]  sctp_packet_transmit+0x2095/0x26d0 [sctp]
[  600.540630]  ? sctp_packet_config+0x890/0x890 [sctp]
[  600.601781]  ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp]
[  600.671356]  ? sctp_cmp_addr_exact+0x3f/0x90 [sctp]
[  600.731482]  sctp_outq_flush+0x663/0x30d0 [sctp]
[  600.788565]  ? sctp_make_init+0xbf0/0xbf0 [sctp]
[  600.845555]  ? sctp_check_transmitted+0x18f0/0x18f0 [sctp]
[  600.912945]  ? sctp_outq_tail+0x631/0x9d0 [sctp]
[  600.969936]  sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp]
[  601.041593]  ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp]
[  601.104837]  ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp]
[  601.175436]  ? sctp_eat_data+0x1710/0x1710 [sctp]
[  601.233575]  sctp_do_sm+0x182/0x560 [sctp]
[  601.284328]  ? sctp_has_association+0x70/0x70 [sctp]
[  601.345586]  ? sctp_rcv+0xef4/0x32f0 [sctp]
[  601.397478]  ? sctp6_rcv+0xa/0x20 [sctp]
...

Here the chunk size for INIT_ACK packet becomes too big, mostly
because of the state cookie (INIT packet has large size with
many address parameters), plus additional server parameters.

Later this chunk causes the panic in skb_put_data():

  skb_packet_transmit()
      sctp_packet_pack()
          skb_put_data(nskb, chunk->skb->data, chunk->skb->len);

'nskb' (head skb) was previously allocated with packet->size
from u16 'chunk->chunk_hdr->length'.

As suggested by Marcelo we should check the chunk's length in
_sctp_make_chunk() before trying to allocate skb for it and
discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.

Signed-off-by: Alexey Kodanev <[hidden email]>
Acked-by: Marcelo Ricardo Leitner <[hidden email]>
Acked-by: Neil Horman <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>

(cherry picked from commit 07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c)
CVE-2018-5803
Signed-off-by: Andy Whitcroft <[hidden email]>
---
 net/sctp/sm_make_chunk.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 6110447fe51d..bc67575d3fb8 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1382,9 +1382,14 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
  struct sctp_chunkhdr *chunk_hdr;
  struct sk_buff *skb;
  struct sock *sk;
+ int chunklen;
+
+ chunklen = SCTP_PAD4(sizeof(*chunk_hdr) + paylen);
+ if (chunklen > SCTP_MAX_CHUNK_LEN)
+ goto nodata;
 
  /* No need to allocate LL here, as this is only a chunk. */
- skb = alloc_skb(SCTP_PAD4(sizeof(*chunk_hdr) + paylen), gfp);
+ skb = alloc_skb(chunklen, gfp);
  if (!skb)
  goto nodata;
 
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[trusty/linux 1/1] sctp: verify size of a new chunk in _sctp_make_chunk()

Andy Whitcroft-3
In reply to this post by Andy Whitcroft-3
From: Alexey Kodanev <[hidden email]>

When SCTP makes INIT or INIT_ACK packet the total chunk length
can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
transmitting these packets, e.g. the crash on sending INIT_ACK:

[  597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168
               put:120156 head:000000007aa47635 data:00000000d991c2de
               tail:0x1d640 end:0xfec0 dev:<NULL>
...
[  597.976970] ------------[ cut here ]------------
[  598.033408] kernel BUG at net/core/skbuff.c:104!
[  600.314841] Call Trace:
[  600.345829]  <IRQ>
[  600.371639]  ? sctp_packet_transmit+0x2095/0x26d0 [sctp]
[  600.436934]  skb_put+0x16c/0x200
[  600.477295]  sctp_packet_transmit+0x2095/0x26d0 [sctp]
[  600.540630]  ? sctp_packet_config+0x890/0x890 [sctp]
[  600.601781]  ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp]
[  600.671356]  ? sctp_cmp_addr_exact+0x3f/0x90 [sctp]
[  600.731482]  sctp_outq_flush+0x663/0x30d0 [sctp]
[  600.788565]  ? sctp_make_init+0xbf0/0xbf0 [sctp]
[  600.845555]  ? sctp_check_transmitted+0x18f0/0x18f0 [sctp]
[  600.912945]  ? sctp_outq_tail+0x631/0x9d0 [sctp]
[  600.969936]  sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp]
[  601.041593]  ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp]
[  601.104837]  ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp]
[  601.175436]  ? sctp_eat_data+0x1710/0x1710 [sctp]
[  601.233575]  sctp_do_sm+0x182/0x560 [sctp]
[  601.284328]  ? sctp_has_association+0x70/0x70 [sctp]
[  601.345586]  ? sctp_rcv+0xef4/0x32f0 [sctp]
[  601.397478]  ? sctp6_rcv+0xa/0x20 [sctp]
...

Here the chunk size for INIT_ACK packet becomes too big, mostly
because of the state cookie (INIT packet has large size with
many address parameters), plus additional server parameters.

Later this chunk causes the panic in skb_put_data():

  skb_packet_transmit()
      sctp_packet_pack()
          skb_put_data(nskb, chunk->skb->data, chunk->skb->len);

'nskb' (head skb) was previously allocated with packet->size
from u16 'chunk->chunk_hdr->length'.

As suggested by Marcelo we should check the chunk's length in
_sctp_make_chunk() before trying to allocate skb for it and
discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.

Signed-off-by: Alexey Kodanev <[hidden email]>
Acked-by: Marcelo Ricardo Leitner <[hidden email]>
Acked-by: Neil Horman <[hidden email]>
Signed-off-by: David S. Miller <[hidden email]>

(backported from commit 07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c)
CVE-2018-5803
Signed-off-by: Andy Whitcroft <[hidden email]>
---
 net/sctp/sm_make_chunk.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 5c9f4ab0b831..56be19e0a357 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1366,10 +1366,14 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
  sctp_chunkhdr_t *chunk_hdr;
  struct sk_buff *skb;
  struct sock *sk;
+ int chunklen;
+
+ chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen);
+ if (chunklen > SCTP_MAX_CHUNK_LEN)
+ goto nodata;
 
  /* No need to allocate LL here, as this is only a chunk. */
- skb = alloc_skb(WORD_ROUND(sizeof(sctp_chunkhdr_t) + paylen),
- GFP_ATOMIC);
+ skb = alloc_skb(chunklen, GFP_ATOMIC);
  if (!skb)
  goto nodata;
 
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [CVE artful/linux trusty/linux CVE-2018-5803] SCTP DOS

Stefan Bader-2
In reply to this post by Andy Whitcroft-3
On 04.06.2018 05:24, Andy Whitcroft wrote:

> CVE-2018-5803:
> It was discovered that the SCTP Protocol implementation in
> the Linux kernel did not properly validate userspace provided
> payload lengths in some situations. A local attacker could
> use this to cause a denial of service (system crash).
>
> Following this email are patches for artful/linux (a cherry-pick) and
> trusty/linux (a backport).  Other series have received this fix via
> upstream and stables.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
> -apw
>
Acked-by: Stefan Bader <[hidden email]>



--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [CVE artful/linux trusty/linux CVE-2018-5803] SCTP DOS

Kleber Souza
In reply to this post by Andy Whitcroft-3
On 06/04/18 05:24, Andy Whitcroft wrote:

> CVE-2018-5803:
> It was discovered that the SCTP Protocol implementation in
> the Linux kernel did not properly validate userspace provided
> payload lengths in some situations. A local attacker could
> use this to cause a denial of service (system crash).
>
> Following this email are patches for artful/linux (a cherry-pick) and
> trusty/linux (a backport).  Other series have received this fix via
> upstream and stables.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
> -apw
>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [CVE artful/linux trusty/linux CVE-2018-5803] SCTP DOS

Khalid Elmously
In reply to this post by Andy Whitcroft-3
Applied to trusty and artful


On 2018-06-04 13:24:38 , Andy Whitcroft wrote:

> CVE-2018-5803:
> It was discovered that the SCTP Protocol implementation in
> the Linux kernel did not properly validate userspace provided
> payload lengths in some situations. A local attacker could
> use this to cause a denial of service (system crash).
>
> Following this email are patches for artful/linux (a cherry-pick) and
> trusty/linux (a backport).  Other series have received this fix via
> upstream and stables.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
> -apw
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team