[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001901d3a041$6a9319a0$3fb94ce0$@secunia.com>
Date: Wed, 7 Feb 2018 19:28:14 +0100
From: "Secunia Research" <vuln@...unia.com>
To: <netdev@...r.kernel.org>
Cc: <vuln@...unia.com>
Subject: [Secunia Research] Linux Kernel Vulnerability - Sending information
Hello,
Secunia Research at Flexera has discovered a vulnerability in Linux Kernel,
which can be exploited by malicious, local users to cause a DoS (Denial of
Service).
Details:
-----------------
After a bit of fuzzing and some debugging, I've prepared a program that
triggers a BUG() failure at net/core/skbuff.c:104.
It happens when an SCTP ABORT message is about to be sent. The main problem
seems to be with the data size/length. This becomes a problem when the flow
reaches the "skb_put()" function (net/core/skbuff.c) and the "unlikenly()"
condition is met.
I have just checked the reproducer against the current David Miller net-tree
and it doesn't seem to be addressed yet.
Proof-of-Concept:
-----------------
I wasn't sure if I should share the reproducer via this email. Please let me
know what's the preferred channel.
Kernel crash message:
[ 31.900829] skbuff: skb_over_panic: text:00000000d6dff053 len:68556
put:68544 head:000000001a927f7f data:0000000001696ac8 tail:0x10c84 end:0xec0
dev:<NULL>
[ 31.902421] ------------[ cut here ]------------
[ 31.902968] kernel BUG at net/core/skbuff.c:104!
[ 31.903559] invalid opcode: 0000 [#1] SMP KASAN PTI
[ 31.904159] Modules linked in:
[ 31.904541] CPU: 1 PID: 3458 Comm: repro Not tainted 4.15.0+ #2
[ 31.905416] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 31.906749] RIP: 0010:skb_panic+0x152/0x1d0
[ 31.907211] RSP: 0018:ffff880066f766a0 EFLAGS: 00010282
[ 31.907762] RAX: 000000000000008f RBX: ffff8800641ae2c0 RCX:
0000000000000000
[ 31.908527] RDX: 000000000000008f RSI: 1ffff1000cdeec99 RDI:
ffffed000cdeecc8
[ 31.909287] RBP: ffffffff84a2efc0 R08: 1ffff1000cdeec6d R09:
0000000000000000
[ 31.910022] R10: 0000000000000001 R11: 0000000000000000 R12:
ffffffff83c920f0
[ 31.910770] R13: 0000000000010bc0 R14: ffffffff84a2e860 R15:
0000000000000ec0
[ 31.911514] FS: 00007f4face87700(0000) GS:ffff88006cf00000(0000)
knlGS:0000000000000000
[ 31.912367] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 31.912973] CR2: 0000000020020fe5 CR3: 0000000069288000 CR4:
00000000000006e0
[ 31.913708] Call Trace:
[ 31.914534] skb_put+0x178/0x1c0
[ 31.914890] sctp_packet_transmit+0x1120/0x3740
[ 31.924671] sctp_outq_flush+0x113a/0x3b90
[ 31.963822] sctp_do_sm+0x4a5c/0x65c0
[ 31.973685] sctp_primitive_ABORT+0x99/0xc0
[ 31.974457] sctp_sendmsg+0x1bb4/0x33a0
[ 31.987812] inet_sendmsg+0x125/0x580
[ 31.991609] sock_sendmsg+0xc0/0x100
[ 31.992320] ___sys_sendmsg+0x714/0x900
[ 31.999903] __sys_sendmsg+0xbd/0x1e0
[ 32.002942] SyS_sendmsg+0x27/0x40
[ 32.003585] entry_SYSCALL_64_fastpath+0x18/0x85
[ 32.004461] RIP: 0033:0x7f4fada2472d
[ 32.005130] RSP: 002b:00007f4face86ec0 EFLAGS: 00000293
[ 32.005138] Code: 03 0f b6 04 01 84 c0 74 04 3c 03 7e 20 8b 4b 78 41 56
45 89 e8 41 57 56 48 c7 c7 a0 e8 a2 84 52 48 89 ee 4c 89 e2 e8 00 bd 2d fe
<0f> 0b 4c 89 4c 24 10 48 89 54 24 08 48 89 34 24 e8 b9 15 72 fe
[ 32.009658] RIP: skb_panic+0x152/0x1d0 RSP: ffff880066f766a0
[ 32.010756] ---[ end trace 239ba69b984ccf99 ]---
Closing Comments:
-----------------
We have assigned the vulnerability Secunia Advisory SA81331.
A preliminary release date has been set to February 21st, 2018 for the
publication of our advisory. However, we are naturally prepared to push the
disclosure date in accordance with the Secunia Research Disclosure Policy
[1], if you need more time to address the vulnerability as long as you keep
us updated on the status.
Please don't hesitate to contact us for assistance with
confirming/reproducing the reported vulnerability.
Credits should go to:
"Jakub Jirasek, Secunia Research at Flexera"
In the case that a HTTPS URL is allowed within the mentioning of the credits
on e.g. your web site, then please utilize the link [2], which could be made
to trigger by clicking on the "Secunia Research" parts of the credits for
example. We highly appreciate the effort.
Please acknowledge receiving this e-mail and let us know when you expect to
fix the vulnerability.
References:
[1] https://secuniaresearch.flexerasoftware.com/community/research/policy/
[2]
https://www.flexerasoftware.com/enterprise/company/about/secunia-research/
---
Kind Regards,
Jakub Jirasek
Team Lead Information Security Analyst
Secunia Research at Flexera
Arne Jacobsens Allé 7, 5th floor
2300 Copenhagen S
Denmark
Phone +45 7020 5144
http://www.flexera.com
Powered by blists - more mailing lists