FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 07-21-2011, 01:59 PM
Andy Whitcroft
 
Default dccp: fix oops on Reset after close

CVE-2011-1093
The dccp_rcv_state_process function in net/dccp/input.c in the
Datagram Congestion Control Protocol (DCCP) implementation in
the Linux kernel before 2.6.38 does not properly handle packets
for a CLOSED endpoint, which allows remote attackers to cause a
denial of service (NULL pointer dereference and OOPS) by sending
a DCCP-Close packet followed by a DCCP-Reset packet.

The fix for this has hit lucid and later via mainline and stable.
Following this are two patches, the first for hardy, the second for
lucid/fsl-imx51 and maverick/ti-omap4. I all cases they are a simple
cherry-pick from the mainline commit as applied to the existing branches;
hardy differs in context only.

Proposing for hardy, lucid/fsl-imx51 and maverick/ti-omap4.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 07-21-2011, 01:59 PM
Andy Whitcroft
 
Default dccp: fix oops on Reset after close

CVE-2011-1093
The dccp_rcv_state_process function in net/dccp/input.c in the
Datagram Congestion Control Protocol (DCCP) implementation in
the Linux kernel before 2.6.38 does not properly handle packets
for a CLOSED endpoint, which allows remote attackers to cause a
denial of service (NULL pointer dereference and OOPS) by sending
a DCCP-Close packet followed by a DCCP-Reset packet.

The fix for this has hit lucid and later via mainline and stable.
Following this are two patches, the first for hardy, the second for
lucid/fsl-imx51 and maverick/ti-omap4. I all cases they are a simple
cherry-pick from the mainline commit as applied to the existing branches;
hardy differs in context only.

Proposing for hardy, lucid/fsl-imx51 and maverick/ti-omap4.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 07-21-2011, 01:59 PM
Andy Whitcroft
 
Default dccp: fix oops on Reset after close

From: Gerrit Renker <gerrit@erg.abdn.ac.uk>

This fixes a bug in the order of dccp_rcv_state_process() that still permitted
reception even after closing the socket. A Reset after close thus causes a NULL
pointer dereference by not preventing operations on an already torn-down socket.

dccp_v4_do_rcv()
|
| state other than OPEN
v
dccp_rcv_state_process()
|
| DCCP_PKT_RESET
v
dccp_rcv_reset()
|
v
dccp_time_wait()

WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128()
Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah
[<c0038850>] (unwind_backtrace+0x0/0xec) from [<c0055364>] (warn_slowpath_common)
[<c0055364>] (warn_slowpath_common+0x4c/0x64) from [<c0055398>] (warn_slowpath_n)
[<c0055398>] (warn_slowpath_null+0x1c/0x24) from [<c02b72d0>] (__inet_twsk_hashd)
[<c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<c031caa0>] (dccp_time_wai)
[<c031caa0>] (dccp_time_wait+0x40/0xc8) from [<c031c15c>] (dccp_rcv_state_proces)
[<c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<c032609c>] (dccp_v4_do_)
[<c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<c0286594>] (release_sock+0xac/0)
[<c0286594>] (release_sock+0xac/0x110) from [<c031fd34>] (dccp_close+0x28c/0x380)
[<c031fd34>] (dccp_close+0x28c/0x380) from [<c02d9a78>] (inet_release+0x64/0x70)

The fix is by testing the socket state first. Receiving a packet in Closed state
now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1.

Reported-and-tested-by: Johan Hovold <jhovold@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit 720dc34bbbe9493c7bd48b2243058b4e447a929d)
CVE-2011-1093
BugLink: http://bugs.launchpad.net/bugs/814087
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
net/dccp/input.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/dccp/input.c b/net/dccp/input.c
index 1ce1010..7decad2 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -522,6 +522,9 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
/* Caller (dccp_v4_do_rcv) will send Reset */
dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
return 1;
+ } else if (sk->sk_state == DCCP_CLOSED) {
+ dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
+ return 1;
}

if (sk->sk_state != DCCP_REQUESTING) {
@@ -585,10 +588,6 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
}

switch (sk->sk_state) {
- case DCCP_CLOSED:
- dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
- return 1;
-
case DCCP_REQUESTING:
/* FIXME: do congestion control initialization */

--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 07-21-2011, 01:59 PM
Andy Whitcroft
 
Default dccp: fix oops on Reset after close

From: Gerrit Renker <gerrit@erg.abdn.ac.uk>

This fixes a bug in the order of dccp_rcv_state_process() that still permitted
reception even after closing the socket. A Reset after close thus causes a NULL
pointer dereference by not preventing operations on an already torn-down socket.

dccp_v4_do_rcv()
|
| state other than OPEN
v
dccp_rcv_state_process()
|
| DCCP_PKT_RESET
v
dccp_rcv_reset()
|
v
dccp_time_wait()

WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128()
Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah
[<c0038850>] (unwind_backtrace+0x0/0xec) from [<c0055364>] (warn_slowpath_common)
[<c0055364>] (warn_slowpath_common+0x4c/0x64) from [<c0055398>] (warn_slowpath_n)
[<c0055398>] (warn_slowpath_null+0x1c/0x24) from [<c02b72d0>] (__inet_twsk_hashd)
[<c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<c031caa0>] (dccp_time_wai)
[<c031caa0>] (dccp_time_wait+0x40/0xc8) from [<c031c15c>] (dccp_rcv_state_proces)
[<c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<c032609c>] (dccp_v4_do_)
[<c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<c0286594>] (release_sock+0xac/0)
[<c0286594>] (release_sock+0xac/0x110) from [<c031fd34>] (dccp_close+0x28c/0x380)
[<c031fd34>] (dccp_close+0x28c/0x380) from [<c02d9a78>] (inet_release+0x64/0x70)

The fix is by testing the socket state first. Receiving a packet in Closed state
now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1.

Reported-and-tested-by: Johan Hovold <jhovold@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit 720dc34bbbe9493c7bd48b2243058b4e447a929d)
CVE-2011-1093
BugLink: http://bugs.launchpad.net/bugs/814087
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
net/dccp/input.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/dccp/input.c b/net/dccp/input.c
index 1ce1010..7decad2 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -522,6 +522,9 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
/* Caller (dccp_v4_do_rcv) will send Reset */
dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
return 1;
+ } else if (sk->sk_state == DCCP_CLOSED) {
+ dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
+ return 1;
}

if (sk->sk_state != DCCP_REQUESTING) {
@@ -585,10 +588,6 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
}

switch (sk->sk_state) {
- case DCCP_CLOSED:
- dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
- return 1;
-
case DCCP_REQUESTING:
/* FIXME: do congestion control initialization */

--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 07-21-2011, 01:59 PM
Andy Whitcroft
 
Default dccp: fix oops on Reset after close

From: Gerrit Renker <gerrit@erg.abdn.ac.uk>

This fixes a bug in the order of dccp_rcv_state_process() that still permitted
reception even after closing the socket. A Reset after close thus causes a NULL
pointer dereference by not preventing operations on an already torn-down socket.

dccp_v4_do_rcv()
|
| state other than OPEN
v
dccp_rcv_state_process()
|
| DCCP_PKT_RESET
v
dccp_rcv_reset()
|
v
dccp_time_wait()

WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128()
Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah
[<c0038850>] (unwind_backtrace+0x0/0xec) from [<c0055364>] (warn_slowpath_common)
[<c0055364>] (warn_slowpath_common+0x4c/0x64) from [<c0055398>] (warn_slowpath_n)
[<c0055398>] (warn_slowpath_null+0x1c/0x24) from [<c02b72d0>] (__inet_twsk_hashd)
[<c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<c031caa0>] (dccp_time_wai)
[<c031caa0>] (dccp_time_wait+0x40/0xc8) from [<c031c15c>] (dccp_rcv_state_proces)
[<c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<c032609c>] (dccp_v4_do_)
[<c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<c0286594>] (release_sock+0xac/0)
[<c0286594>] (release_sock+0xac/0x110) from [<c031fd34>] (dccp_close+0x28c/0x380)
[<c031fd34>] (dccp_close+0x28c/0x380) from [<c02d9a78>] (inet_release+0x64/0x70)

The fix is by testing the socket state first. Receiving a packet in Closed state
now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1.

Reported-and-tested-by: Johan Hovold <jhovold@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit 720dc34bbbe9493c7bd48b2243058b4e447a929d)
CVE-2011-1093
BugLink: http://bugs.launchpad.net/bugs/814087
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
net/dccp/input.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/dccp/input.c b/net/dccp/input.c
index 7648f31..26fa731 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -616,6 +616,9 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
/* Caller (dccp_v4_do_rcv) will send Reset */
dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
return 1;
+ } else if (sk->sk_state == DCCP_CLOSED) {
+ dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
+ return 1;
}

if (sk->sk_state != DCCP_REQUESTING && sk->sk_state != DCCP_RESPOND) {
@@ -678,10 +681,6 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
}

switch (sk->sk_state) {
- case DCCP_CLOSED:
- dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
- return 1;
-
case DCCP_REQUESTING:
queued = dccp_rcv_request_sent_state_process(sk, skb, dh, len);
if (queued >= 0)
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 07-21-2011, 01:59 PM
Andy Whitcroft
 
Default dccp: fix oops on Reset after close

From: Gerrit Renker <gerrit@erg.abdn.ac.uk>

This fixes a bug in the order of dccp_rcv_state_process() that still permitted
reception even after closing the socket. A Reset after close thus causes a NULL
pointer dereference by not preventing operations on an already torn-down socket.

dccp_v4_do_rcv()
|
| state other than OPEN
v
dccp_rcv_state_process()
|
| DCCP_PKT_RESET
v
dccp_rcv_reset()
|
v
dccp_time_wait()

WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128()
Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah
[<c0038850>] (unwind_backtrace+0x0/0xec) from [<c0055364>] (warn_slowpath_common)
[<c0055364>] (warn_slowpath_common+0x4c/0x64) from [<c0055398>] (warn_slowpath_n)
[<c0055398>] (warn_slowpath_null+0x1c/0x24) from [<c02b72d0>] (__inet_twsk_hashd)
[<c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<c031caa0>] (dccp_time_wai)
[<c031caa0>] (dccp_time_wait+0x40/0xc8) from [<c031c15c>] (dccp_rcv_state_proces)
[<c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<c032609c>] (dccp_v4_do_)
[<c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<c0286594>] (release_sock+0xac/0)
[<c0286594>] (release_sock+0xac/0x110) from [<c031fd34>] (dccp_close+0x28c/0x380)
[<c031fd34>] (dccp_close+0x28c/0x380) from [<c02d9a78>] (inet_release+0x64/0x70)

The fix is by testing the socket state first. Receiving a packet in Closed state
now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1.

Reported-and-tested-by: Johan Hovold <jhovold@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit 720dc34bbbe9493c7bd48b2243058b4e447a929d)
CVE-2011-1093
BugLink: http://bugs.launchpad.net/bugs/814087
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
net/dccp/input.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/dccp/input.c b/net/dccp/input.c
index 7648f31..26fa731 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -616,6 +616,9 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
/* Caller (dccp_v4_do_rcv) will send Reset */
dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
return 1;
+ } else if (sk->sk_state == DCCP_CLOSED) {
+ dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
+ return 1;
}

if (sk->sk_state != DCCP_REQUESTING && sk->sk_state != DCCP_RESPOND) {
@@ -678,10 +681,6 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
}

switch (sk->sk_state) {
- case DCCP_CLOSED:
- dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
- return 1;
-
case DCCP_REQUESTING:
queued = dccp_rcv_request_sent_state_process(sk, skb, dh, len);
if (queued >= 0)
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 07-21-2011, 02:12 PM
Stefan Bader
 
Default dccp: fix oops on Reset after close

On 21.07.2011 15:59, Andy Whitcroft wrote:
> CVE-2011-1093
> The dccp_rcv_state_process function in net/dccp/input.c in the
> Datagram Congestion Control Protocol (DCCP) implementation in
> the Linux kernel before 2.6.38 does not properly handle packets
> for a CLOSED endpoint, which allows remote attackers to cause a
> denial of service (NULL pointer dereference and OOPS) by sending
> a DCCP-Close packet followed by a DCCP-Reset packet.
>
> The fix for this has hit lucid and later via mainline and stable.
> Following this are two patches, the first for hardy, the second for
> lucid/fsl-imx51 and maverick/ti-omap4. I all cases they are a simple
> cherry-pick from the mainline commit as applied to the existing branches;
> hardy differs in context only.
>
> Proposing for hardy, lucid/fsl-imx51 and maverick/ti-omap4.
>
> -apw
>
Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 07-21-2011, 02:12 PM
Stefan Bader
 
Default dccp: fix oops on Reset after close

On 21.07.2011 15:59, Andy Whitcroft wrote:
> CVE-2011-1093
> The dccp_rcv_state_process function in net/dccp/input.c in the
> Datagram Congestion Control Protocol (DCCP) implementation in
> the Linux kernel before 2.6.38 does not properly handle packets
> for a CLOSED endpoint, which allows remote attackers to cause a
> denial of service (NULL pointer dereference and OOPS) by sending
> a DCCP-Close packet followed by a DCCP-Reset packet.
>
> The fix for this has hit lucid and later via mainline and stable.
> Following this are two patches, the first for hardy, the second for
> lucid/fsl-imx51 and maverick/ti-omap4. I all cases they are a simple
> cherry-pick from the mainline commit as applied to the existing branches;
> hardy differs in context only.
>
> Proposing for hardy, lucid/fsl-imx51 and maverick/ti-omap4.
>
> -apw
>
Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 12:29 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org