Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4BD8DC25.4080800@kernel.sg>
Date: Thu, 29 Apr 2010 09:08:53 +0800
From: Eugene Teo <eugeneteo@...nel.sg>
To: oss-security@...ts.openwall.com
CC: coley@...us.mitre.org
Subject: CVE-2010-1173 kernel: skb_over_panic resulting from multiple invalid
 parameter errors

https://bugzilla.redhat.com/CVE-2010-1173
http://article.gmane.org/gmane.linux.network/159531

Reported by Chris Guo from Nokia China via Red Hat Support. A similar 
issue was reported by Jukka Taimisto and Olli Jarva from Codenomicon Ltd 
via CERT-FI. This was also reported by Windriver on behalf of their 
customer via vendor-sec.

Kernel crash occurs if sctp listening port receives malformatted init 
package.

Its an skb_over_panic BUG halt that results from processing an init 
chunk in which too many of its variable length parameters are in some 
way malformed.

The problem is in sctp_process_unk_param:
if (NULL == *errp)
  *errp = sctp_make_op_error_space(asoc, chunk,
       ntohs(chunk->chunk_hdr->length));

  if (*errp) {
   sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
      WORD_ROUND(ntohs(param.p->length)));
   sctp_addto_chunk(*errp,
    WORD_ROUND(ntohs(param.p->length)),
       param.v);

When we allocate an error chunk, we assume that the worst case scenario
requires that we have chunk_hdr->length data allocated, which would be 
correct nominally, given that we call sctp_addto_chunk for the violating 
parameter. Unfortunately, we also, in sctp_init_cause insert a 
sctp_errhdr_t structure into the error chunk, so the worst case 
situation in which all parameters are in violation requires 
chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.

This fix solves the problem by allowing our implementation to only 
report a fixed number of errors.  When we encounter an error in 
parameter processing we allocate a chunk that is min(asoc->pathmtu, 
SCTP_DEFAULT_MAXSEGMENT), limiting our error reporting to a single mtu 
sized chunk.  Parameter errors that grow beyond that value are discarded.

Thanks, Eugene

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.