NULL pointer dereference in af->from_addr_param on malformed packet Reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7841
Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> --- .../linux/files/sctp-CVE-2014-7841.patch | 85 ++++++++++++++++++++++ recipes-kernel/linux/linux-qoriq_3.12.bb | 1 + 2 files changed, 86 insertions(+) create mode 100644 recipes-kernel/linux/files/sctp-CVE-2014-7841.patch diff --git a/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch b/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch new file mode 100644 index 0000000..0c4beb3 --- /dev/null +++ b/recipes-kernel/linux/files/sctp-CVE-2014-7841.patch @@ -0,0 +1,85 @@ +From 4008f1dbe6fea8114e7f79ed2d238e369dc9138f Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann <dbork...@redhat.com> +Date: Mon, 10 Nov 2014 17:54:26 +0100 +Subject: [PATCH] net: sctp: fix NULL pointer dereference in + af->from_addr_param on malformed packet + +[ Upstream commit e40607cbe270a9e8360907cb1e62ddf0736e4864 ] + +An SCTP server doing ASCONF will panic on malformed INIT ping-of-death +in the form of: + + ------------ INIT[PARAM: SET_PRIMARY_IP] ------------> + +While the INIT chunk parameter verification dissects through many things +in order to detect malformed input, it misses to actually check parameters +inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary +IP address' parameter in ASCONF, which has as a subparameter an address +parameter. + +So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS +or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0 +and thus sctp_get_af_specific() returns NULL, too, which we then happily +dereference unconditionally through af->from_addr_param(). + +The trace for the log: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 +IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp] +PGD 0 +Oops: 0000 [#1] SMP +[...] +Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs +RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp] +[...] +Call Trace: + <IRQ> + [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp] + [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp] + [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp] + [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp] + [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp] + [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp] + [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp] + [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] + [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0 + [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0 + [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120 + [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0 +[...] + +A minimal way to address this is to check for NULL as we do on all +other such occasions where we know sctp_get_af_specific() could +possibly return with NULL. + +Fix for CVE-2014-7841 +Upstream-Status: Backport + +Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT") +Signed-off-by: Daniel Borkmann <dbork...@redhat.com> +Cc: Vlad Yasevich <vyasev...@gmail.com> +Acked-by: Neil Horman <nhor...@tuxdriver.com> +Signed-off-by: David S. Miller <da...@davemloft.net> +Signed-off-by: Jiri Slaby <jsl...@suse.cz> +Signed-off-by: Sona Sarmadi <sona.sarm...@enea.com> +--- + net/sctp/sm_make_chunk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index 1e06f3b..e342387 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -2622,6 +2622,9 @@ do_addr_param: + addr_param = param.v + sizeof(sctp_addip_param_t); + + af = sctp_get_af_specific(param_type2af(param.p->type)); ++ if (af == NULL) ++ break; ++ + af->from_addr_param(&addr, addr_param, + htons(asoc->peer.port), 0); + +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 2cd8ce9..5c67dc3 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -26,6 +26,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ file://0001-ALSA-CVE-2014-4652.patch \ file://0002-ALSA-CVE-2014-4653.patch \ file://sctp-CVE-2014-4667.patch \ + file://sctp-CVE-2014-7841.patch \ " SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" -- 1.9.1 -- _______________________________________________ meta-freescale mailing list meta-freescale@yoctoproject.org https://lists.yoctoproject.org/listinfo/meta-freescale