diff options
author | Neil Horman <nhorman@tuxdriver.com> | 2010-04-28 06:30:59 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-04-28 17:22:01 -0400 |
commit | 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 (patch) | |
tree | 38442b86f3c1b57dd9c660d7c551334e110f6d43 /net | |
parent | e41c11ee0cc602bcde68916be85fb97d1a484324 (diff) |
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)
Ok, version 4
Change Notes:
1) Minor cleanups, from Vlads notes
Summary:
Hey-
Recently, it was reported to me that the kernel could oops in the
following way:
<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU: 0
<5> EIP: 0060:[<c02bff27>] Not tainted VLI
<5> EFLAGS: 00010216 (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44
<5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40
<5> ds: 007b es: 007b ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
e0c2947d
<5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
df653490
<5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
00000004
<5> Call Trace:
<5> [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5> [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5> [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5> [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5> [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5> [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5> [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5> [<c01555a4>] cache_grow+0x140/0x233
<5> [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5> [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5> [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5> [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5> [<c02d005e>] nf_iterate+0x40/0x81
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5> [<c02d0362>] nf_hook_slow+0x83/0xb5
<5> [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5> [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5> [<c02e103e>] ip_rcv+0x334/0x3b4
<5> [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5> [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5> [<c02c67a4>] process_backlog+0x6c/0xd9
<5> [<c02c690f>] net_rx_action+0xfe/0x1f8
<5> [<c012a7b1>] __do_softirq+0x35/0x79
<5> [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5> [<c01094de>] do_softirq+0x46/0x4d
Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.
The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,
ntohs(chunk->chunk_hdr->length));
if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,
WORD_ROUND(ntohs(param.p->length)));
sctp_addto_chunk(*errp,
WORD_ROUND(ntohs(param.p->length)),
param.v);
When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter. Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.
The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173
I've tested the below fix and confirmed that it fixes the issue. We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report. Tested by me successfully
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/sctp/sm_make_chunk.c | 62 |
1 files changed, 57 insertions, 5 deletions
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 0fd5b4c88358..30c1767186b8 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c | |||
@@ -108,7 +108,7 @@ static const struct sctp_paramhdr prsctp_param = { | |||
108 | cpu_to_be16(sizeof(struct sctp_paramhdr)), | 108 | cpu_to_be16(sizeof(struct sctp_paramhdr)), |
109 | }; | 109 | }; |
110 | 110 | ||
111 | /* A helper to initialize to initialize an op error inside a | 111 | /* A helper to initialize an op error inside a |
112 | * provided chunk, as most cause codes will be embedded inside an | 112 | * provided chunk, as most cause codes will be embedded inside an |
113 | * abort chunk. | 113 | * abort chunk. |
114 | */ | 114 | */ |
@@ -125,6 +125,29 @@ void sctp_init_cause(struct sctp_chunk *chunk, __be16 cause_code, | |||
125 | chunk->subh.err_hdr = sctp_addto_chunk(chunk, sizeof(sctp_errhdr_t), &err); | 125 | chunk->subh.err_hdr = sctp_addto_chunk(chunk, sizeof(sctp_errhdr_t), &err); |
126 | } | 126 | } |
127 | 127 | ||
128 | /* A helper to initialize an op error inside a | ||
129 | * provided chunk, as most cause codes will be embedded inside an | ||
130 | * abort chunk. Differs from sctp_init_cause in that it won't oops | ||
131 | * if there isn't enough space in the op error chunk | ||
132 | */ | ||
133 | int sctp_init_cause_fixed(struct sctp_chunk *chunk, __be16 cause_code, | ||
134 | size_t paylen) | ||
135 | { | ||
136 | sctp_errhdr_t err; | ||
137 | __u16 len; | ||
138 | |||
139 | /* Cause code constants are now defined in network order. */ | ||
140 | err.cause = cause_code; | ||
141 | len = sizeof(sctp_errhdr_t) + paylen; | ||
142 | err.length = htons(len); | ||
143 | |||
144 | if (skb_tailroom(chunk->skb) > len) | ||
145 | return -ENOSPC; | ||
146 | chunk->subh.err_hdr = sctp_addto_chunk_fixed(chunk, | ||
147 | sizeof(sctp_errhdr_t), | ||
148 | &err); | ||
149 | return 0; | ||
150 | } | ||
128 | /* 3.3.2 Initiation (INIT) (1) | 151 | /* 3.3.2 Initiation (INIT) (1) |
129 | * | 152 | * |
130 | * This chunk is used to initiate a SCTP association between two | 153 | * This chunk is used to initiate a SCTP association between two |
@@ -1132,6 +1155,24 @@ nodata: | |||
1132 | return retval; | 1155 | return retval; |
1133 | } | 1156 | } |
1134 | 1157 | ||
1158 | /* Create an Operation Error chunk of a fixed size, | ||
1159 | * specifically, max(asoc->pathmtu, SCTP_DEFAULT_MAXSEGMENT) | ||
1160 | * This is a helper function to allocate an error chunk for | ||
1161 | * for those invalid parameter codes in which we may not want | ||
1162 | * to report all the errors, if the incomming chunk is large | ||
1163 | */ | ||
1164 | static inline struct sctp_chunk *sctp_make_op_error_fixed( | ||
1165 | const struct sctp_association *asoc, | ||
1166 | const struct sctp_chunk *chunk) | ||
1167 | { | ||
1168 | size_t size = asoc ? asoc->pathmtu : 0; | ||
1169 | |||
1170 | if (!size) | ||
1171 | size = SCTP_DEFAULT_MAXSEGMENT; | ||
1172 | |||
1173 | return sctp_make_op_error_space(asoc, chunk, size); | ||
1174 | } | ||
1175 | |||
1135 | /* Create an Operation Error chunk. */ | 1176 | /* Create an Operation Error chunk. */ |
1136 | struct sctp_chunk *sctp_make_op_error(const struct sctp_association *asoc, | 1177 | struct sctp_chunk *sctp_make_op_error(const struct sctp_association *asoc, |
1137 | const struct sctp_chunk *chunk, | 1178 | const struct sctp_chunk *chunk, |
@@ -1374,6 +1415,18 @@ void *sctp_addto_chunk(struct sctp_chunk *chunk, int len, const void *data) | |||
1374 | return target; | 1415 | return target; |
1375 | } | 1416 | } |
1376 | 1417 | ||
1418 | /* Append bytes to the end of a chunk. Returns NULL if there isn't sufficient | ||
1419 | * space in the chunk | ||
1420 | */ | ||
1421 | void *sctp_addto_chunk_fixed(struct sctp_chunk *chunk, | ||
1422 | int len, const void *data) | ||
1423 | { | ||
1424 | if (skb_tailroom(chunk->skb) > len) | ||
1425 | return sctp_addto_chunk(chunk, len, data); | ||
1426 | else | ||
1427 | return NULL; | ||
1428 | } | ||
1429 | |||
1377 | /* Append bytes from user space to the end of a chunk. Will panic if | 1430 | /* Append bytes from user space to the end of a chunk. Will panic if |
1378 | * chunk is not big enough. | 1431 | * chunk is not big enough. |
1379 | * Returns a kernel err value. | 1432 | * Returns a kernel err value. |
@@ -1977,13 +2030,12 @@ static sctp_ierror_t sctp_process_unk_param(const struct sctp_association *asoc, | |||
1977 | * returning multiple unknown parameters. | 2030 | * returning multiple unknown parameters. |
1978 | */ | 2031 | */ |
1979 | if (NULL == *errp) | 2032 | if (NULL == *errp) |
1980 | *errp = sctp_make_op_error_space(asoc, chunk, | 2033 | *errp = sctp_make_op_error_fixed(asoc, chunk); |
1981 | ntohs(chunk->chunk_hdr->length)); | ||
1982 | 2034 | ||
1983 | if (*errp) { | 2035 | if (*errp) { |
1984 | sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM, | 2036 | sctp_init_cause_fixed(*errp, SCTP_ERROR_UNKNOWN_PARAM, |
1985 | WORD_ROUND(ntohs(param.p->length))); | 2037 | WORD_ROUND(ntohs(param.p->length))); |
1986 | sctp_addto_chunk(*errp, | 2038 | sctp_addto_chunk_fixed(*errp, |
1987 | WORD_ROUND(ntohs(param.p->length)), | 2039 | WORD_ROUND(ntohs(param.p->length)), |
1988 | param.v); | 2040 | param.v); |
1989 | } else { | 2041 | } else { |