| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <F41877A268BCDE49BAEE2286FA8C269F6FECFB15@LETV-MBX-IDC09.letv.local>
Date: Thu, 24 Nov 2016 02:47:04 +0000
From: Liyang Yu (于立洋1) <yuliyang1@...com>
To: "security@...nel.org" <security@...nel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC: "cve-request@...re.org" <cve-request@...re.org>
Subject: [scr265482] ip_tunnel.c
Hi:
I found that the GRE tunnel in same case can cause integer overflow in ip_tunnel.c:397
Cause of the problem:
When tpi->seq less than tunnel->i_seqno, the packet will be droped.
How to recurrence problem
1. Create an tunnel use kernel GRE module.
2. Use the tunnel to send packets for awile.
3.Reboot one site of the tunnel.
4. Communication interrupted
if (tunnel->parms.i_flags&TUNNEL_SEQ) {
if (!(tpi->flags&TUNNEL_SEQ) ||
(tunnel->i_seqno && (s32)(ntohl(tpi->seq) - tunnel->i_seqno) < 0)) { /**Here is the trouble code* /
tunnel->dev->stats.rx_fifo_errors++;
tunnel->dev->stats.rx_errors++;
goto drop;
}
tunnel->i_seqno = ntohl(tpi->seq) + 1;
}
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> Integer Overflow in ip_tunnel.c in Ubuntu Linux kernel GRE ALL kernel
> version allows attacker to Denial of Service via reboot one end of the
> tunnel
Could you please clarify whether this affects only Ubuntu, or potentially affects other Linux distributions? ip_tunnel.c is present in the Linux kernel in all distributions and is maintained at:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/net/ipv4/ip_tunnel.c
You should provide your evidence of an integer overflow, such as source code or crash tracing.
If you are reporting an Ubuntu issue, please see:
https://wiki.ubuntu.com/SecurityTeam/FAQ#Contact
about how to file a Private Security bug in Launchpad.
If you are reporting an issue affecting the Linux kernel in general, please contact:
security@...nel.org
You can also include:
netdev@...r.kernel.org
if the report is public. If you need to subscribe, see:
http://vger.kernel.org/vger-lists.html#netdev
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYNeETAAoJEHb/MwWLVhi26RcP/R38S6V0LFGPHOTFNjTapcnV
RPKycC/lOCGjQehDAUkhxxTwolJpJF3RWeI+KL/hOvxA+LP3B3YeYdoYnQyZ6SqI
8J+zz5vV5mCP3olKYynO4S32bBn8rZiwoWsFWPaC4ILmoQFTLZiDbH6ji3DrHewm
OwrTysyC1a7clOuIM3BaPl3Ra0qMHsgR2b16gYMEdi/B1Ya3oLY7MVLTB2AixA9F
BB/aQjFMICfchEF39uQslU3jJd+SPuayLvceiKIvqFqBt1D8Kt2rBamzMmI5MC3M
ZbVBNfXde1MxqlV2WjUzl8KFj2l1zG7IlH1rcRes+6ZI3VaJnbv9Jyi6oc9QzMQc
nFRg9sH/DzD3g40bh2zRBtLqkQeTxxkg3JvaFc2OC2MaxMiobQCso926d4pFxTmd
+x8wP7E/nKvd4+E09/bep/v0+mEOxfSDICNGO/7gBOU4wKZ6IyaNftfe5Q1zDaxv
M3vWI6VqTFx32wY7TE69AHIH7X7WvzsBi7BLj2RHGFg2hwS7n80A1t4BcdYjPdSh
feFxfVH5gGAaG3Bm4jJOCKe5+vRwuJGjnox2+vQvUrD9v+vx0z1D5ooO8Ms2MLnT
kKL7BKhcntcoLJ3TUI09I2HZBSh7R3homgFhgrpbDHd0YjaW6XgqHjAr8piKEToK
V6jChR0YzXTkTlw1jYlE
=z0ta
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists