[Acked] [Lucid][Precise][CVE-2014-7841] net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet

Andy Whitcroft apw at canonical.com
Mon Nov 24 12:50:38 UTC 2014 

On Mon, Nov 24, 2014 at 12:16:01PM +0000, Luis Henriques wrote:
> From: Daniel Borkmann <dborkman at redhat.com>
> 
> An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
> in the form of:
> 
>   ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
> 
> While the INIT chunk parameter verification dissects through many things
> in order to detect malformed input, it misses to actually check parameters
> inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
> IP address' parameter in ASCONF, which has as a subparameter an address
> parameter.
> 
> So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
> or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
> and thus sctp_get_af_specific() returns NULL, too, which we then happily
> dereference unconditionally through af->from_addr_param().
> 
> The trace for the log:
> 
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
> IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
> PGD 0
> Oops: 0000 [#1] SMP
> [...]
> Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
> RIP: 0010:[<ffffffffa01e9c62>]  [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
> [...]
> Call Trace:
>  <IRQ>
>  [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
>  [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
>  [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
>  [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
>  [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
>  [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
>  [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
>  [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
>  [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
>  [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
>  [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
>  [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
> [...]
> 
> A minimal way to address this is to check for NULL as we do on all
> other such occasions where we know sctp_get_af_specific() could
> possibly return with NULL.
> 
> Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
> Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
> Cc: Vlad Yasevich <vyasevich at gmail.com>
> Acked-by: Neil Horman <nhorman at tuxdriver.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit e40607cbe270a9e8360907cb1e62ddf0736e4864)
> CVE-2014-7841
> BugLink: http://bugs.launchpad.net/bugs/1392820
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  net/sctp/sm_make_chunk.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index 5f2dc3f6cf92..9de3592d0a56 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2544,6 +2544,9 @@ do_addr_param:
>  		addr_param = param.v + sizeof(sctp_addip_param_t);
>  
>  		af = sctp_get_af_specific(param_type2af(param.p->type));
> +		if (af == NULL)
> +			break;
> +
>  		af->from_addr_param(&addr, addr_param,
>  				    htons(asoc->peer.port), 0);
>  

Looks to do what is claimed, simple, self-contained, cherry-pick,
therefore:

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw

More information about the kernel-team mailing list