CVE-2010-3705: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()

2010-12-10 17:01:14 -05:00 · 2010-12-10 17:01:14 -05:00 · 2c7b199d8c
parent 31ece0102d
commit 2c7b199d8c
2 changed files with 55 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -883,6 +883,8 @@ Patch13901: ioat2-catch-and-recover-from-broken-vtd-configurations.patch
 Patch13910: v4l1-fix-32-bit-compat-microcode-loading-translation.patch
 # CVE-2010-3698
 Patch13911: kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
+# CVE-2010-3705
+Patch13912: sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch

 %endif

@ -1691,6 +1693,8 @@ ApplyPatch ioat2-catch-and-recover-from-broken-vtd-configurations.patch
 ApplyPatch v4l1-fix-32-bit-compat-microcode-loading-translation.patch
 # CVE-2010-3698
 ApplyPatch kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
+# CVE-2010-3705
+ApplyPatch sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch

 # END OF PATCH APPLICATIONS

@ -2317,6 +2321,7 @@ fi
 - CVE-2010-2962: arbitrary kernel memory write via i915 GEM ioctl
 - CVE-2010-2963: v4l: VIDIOCSMICROCODE arbitrary write
 - CVE-2010-3698: kvm: invalid selector in fs/gs causes kernel panic
+- CVE-2010-3705: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()

 * Thu Dec 09 2010 Kyle McMartin <kyle@redhat.com>
 - ioat2-catch-and-recover-from-broken-vtd-configurations.patch: copy patch
--- a/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
+++ b/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch
@ -0,0 +1,50 @@
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 1 Oct 2010 11:51:47 +0000 (+0000)
+Subject: sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
+X-Git-Tag: v2.6.36-rc8~2^2~25
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=51e97a12bef19b7e43199fc153cf9bd5f2140362
+
+sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
+
+The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
+array and attempts to ensure that only a supported hmac entry is
+returned.  The current code fails to do this properly - if the last id
+in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the
+id integer remains set after exiting the loop, and the address of an
+out-of-bounds entry will be returned and subsequently used in the parent
+function, causing potentially ugly memory corruption.  This patch resets
+the id integer to 0 on encountering an invalid id so that NULL will be
+returned after finishing the loop if no valid ids are found.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index 8636639..ddbbf7c 100644
+--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
+@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
+ 		id = ntohs(hmacs->hmac_ids[i]);
+ 
+ 		/* Check the id is in the supported range */
+-		if (id > SCTP_AUTH_HMAC_ID_MAX)
+		if (id > SCTP_AUTH_HMAC_ID_MAX) {
+			id = 0;
+ 			continue;
+		}
+ 
+ 		/* See is we support the id.  Supported IDs have name and
+ 		 * length fields set, so that we can allocated and use
+ 		 * them.  We can safely just check for name, for without the
+ 		 * name, we can't allocate the TFM.
+ 		 */
+-		if (!sctp_hmac_list[id].hmac_name)
+		if (!sctp_hmac_list[id].hmac_name) {
+			id = 0;
+ 			continue;
+		}
+ 
+ 		break;
+ 	}