[kernel/f19] CVE-2014-7841 sctp: NULL ptr deref on malformed packet (rhbz 1163087 1163095)

Josh Boyer jwboyer at fedoraproject.org
Wed Nov 12 14:29:13 UTC 2014 

commit d925852d560bed392c5fb611a0cb307334aec925
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Wed Nov 12 09:24:30 2014 -0500

    CVE-2014-7841 sctp: NULL ptr deref on malformed packet (rhbz 1163087 1163095)

 kernel.spec                                        |    9 +++
 ...x-NULL-pointer-dereference-in-af-from_add.patch |   77 ++++++++++++++++++++
 2 files changed, 86 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 0686abe..291d56d 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -785,6 +785,9 @@ Patch26082: kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
 # CVE-2014-7826 CVE-2014-7825 rhbz 1161565 1161572
 Patch26085: tracing-syscalls-Ignore-numbers-outside-NR_syscalls-.patch
 
+#CVE-2014-7841 rhbz 1163087 1163095
+Patch26067: net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1512,6 +1515,9 @@ ApplyPatch kvm-fix-excessive-pages-un-pinning-in-kvm_iommu_map-.patch
 # CVE-2014-7826 CVE-2014-7825 rhbz 1161565 1161572
 ApplyPatch tracing-syscalls-Ignore-numbers-outside-NR_syscalls-.patch
 
+#CVE-2014-7841 rhbz 1163087 1163095
+ApplyPatch net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2324,6 +2330,9 @@ fi
 # and build.
 
 %changelog
+* Wed Nov 12 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-7841 sctp: NULL ptr deref on malformed packet (rhbz 1163087 1163095)
+
 * Fri Nov 07 2014 Josh Boyer <jwboyer at fedoraproject.org>
 - CVE-2014-7826 CVE-2014-7825 insufficient syscall number validation in perf and ftrace subsystems (rhbz 1161565 1161572)
 
diff --git a/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch b/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
new file mode 100644
index 0000000..34dae53
--- /dev/null
+++ b/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
@@ -0,0 +1,77 @@
+From: Daniel Borkmann <dborkman at redhat.com>
+Date: Mon, 10 Nov 2014 17:54:26 +0100
+Subject: [PATCH] net: sctp: fix NULL pointer dereference in
+ af->from_addr_param on malformed packet
+
+An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
+in the form of:
+
+  ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
+
+While the INIT chunk parameter verification dissects through many things
+in order to detect malformed input, it misses to actually check parameters
+inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
+IP address' parameter in ASCONF, which has as a subparameter an address
+parameter.
+
+So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
+or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
+and thus sctp_get_af_specific() returns NULL, too, which we then happily
+dereference unconditionally through af->from_addr_param().
+
+The trace for the log:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
+IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
+PGD 0
+Oops: 0000 [#1] SMP
+[...]
+Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
+RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
+[...]
+Call Trace:
+ <IRQ>
+ [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
+ [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
+ [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
+ [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
+ [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
+ [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
+ [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
+ [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
+ [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
+ [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
+ [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
+ [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
+[...]
+
+A minimal way to address this is to check for NULL as we do on all
+other such occasions where we know sctp_get_af_specific() could
+possibly return with NULL.
+
+Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
+Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
+Cc: Vlad Yasevich <vyasevich at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/sctp/sm_make_chunk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index ab734be8cb20..9f32741abb1c 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2609,6 +2609,9 @@ do_addr_param:
+ 		addr_param = param.v + sizeof(sctp_addip_param_t);
+ 
+ 		af = sctp_get_af_specific(param_type2af(param.p->type));
++		if (af == NULL)
++			break;
++
+ 		af->from_addr_param(&addr, addr_param,
+ 				    htons(asoc->peer.port), 0);
+ 
+-- 
+1.9.3
+

More information about the scm-commits mailing list