From: Sona Sarmadi Date: Tue, 27 Jan 2015 13:04:11 +0000 (+0100) Subject: sctp: CVE-2014-7841 X-Git-Tag: 2.1~534^2~17 X-Git-Url: https://code.ossystems.io/gitweb?a=commitdiff_plain;h=d2c2e06bf9b990b4e330ce83ce5cf3b88c8b46a1;p=meta-freescale.git sctp: CVE-2014-7841 NULL pointer dereference in af->from_addr_param on malformed packet Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7841 Signed-off-by: Sona Sarmadi --- diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch b/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch new file mode 100644 index 00000000..0c4beb31 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch @@ -0,0 +1,85 @@ +From 4008f1dbe6fea8114e7f79ed2d238e369dc9138f Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Mon, 10 Nov 2014 17:54:26 +0100 +Subject: [PATCH] net: sctp: fix NULL pointer dereference in + af->from_addr_param on malformed packet + +[ Upstream commit e40607cbe270a9e8360907cb1e62ddf0736e4864 ] + +An SCTP server doing ASCONF will panic on malformed INIT ping-of-death +in the form of: + + ------------ INIT[PARAM: SET_PRIMARY_IP] ------------> + +While the INIT chunk parameter verification dissects through many things +in order to detect malformed input, it misses to actually check parameters +inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary +IP address' parameter in ASCONF, which has as a subparameter an address +parameter. + +So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS +or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0 +and thus sctp_get_af_specific() returns NULL, too, which we then happily +dereference unconditionally through af->from_addr_param(). + +The trace for the log: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 +IP: [] sctp_process_init+0x492/0x990 [sctp] +PGD 0 +Oops: 0000 [#1] SMP +[...] +Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs +RIP: 0010:[] [] sctp_process_init+0x492/0x990 [sctp] +[...] +Call Trace: + + [] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp] + [] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp] + [] sctp_do_sm+0x71/0x1210 [sctp] + [] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp] + [] sctp_endpoint_bh_rcv+0x116/0x230 [sctp] + [] sctp_inq_push+0x56/0x80 [sctp] + [] sctp_rcv+0x982/0xa10 [sctp] + [] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] + [] ? nf_iterate+0x69/0xb0 + [] ? ip_local_deliver_finish+0x0/0x2d0 + [] ? nf_hook_slow+0x76/0x120 + [] ? ip_local_deliver_finish+0x0/0x2d0 +[...] + +A minimal way to address this is to check for NULL as we do on all +other such occasions where we know sctp_get_af_specific() could +possibly return with NULL. + +Fix for CVE-2014-7841 +Upstream-Status: Backport + +Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT") +Signed-off-by: Daniel Borkmann +Cc: Vlad Yasevich +Acked-by: Neil Horman +Signed-off-by: David S. Miller +Signed-off-by: Jiri Slaby +Signed-off-by: Sona Sarmadi +--- + net/sctp/sm_make_chunk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index 1e06f3b..e342387 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -2622,6 +2622,9 @@ do_addr_param: + addr_param = param.v + sizeof(sctp_addip_param_t); + + af = sctp_get_af_specific(param_type2af(param.p->type)); ++ if (af == NULL) ++ break; ++ + af->from_addr_param(&addr, addr_param, + htons(asoc->peer.port), 0); + +-- +1.9.1 + diff --git a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb index 2cd8ce9f..5c67dc3a 100644 --- a/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/meta-fsl-ppc/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -26,6 +26,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ file://0001-ALSA-CVE-2014-4652.patch \ file://0002-ALSA-CVE-2014-4653.patch \ file://sctp-CVE-2014-4667.patch \ + file://sctp-CVE-2014-7841.patch \ " SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"