diff --git a/kernel.spec b/kernel.spec index 83f1b4c7d..402404c25 100644 --- a/kernel.spec +++ b/kernel.spec @@ -619,6 +619,9 @@ Patch26065: sched-Remove-lockdep-check-in-sched_move_task.patch #rhbz 1161805 Patch26066: ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch +#CVE-2014-7841 rhbz 1163087 1163095 +Patch26067: net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1347,6 +1350,9 @@ ApplyPatch sched-Remove-lockdep-check-in-sched_move_task.patch #rhbz 1161805 ApplyPatch ahci-disable-MSI-instead-of-NCQ-on-Samsung-pci-e-SSD.patch +#CVE-2014-7841 rhbz 1163087 1163095 +ApplyPatch net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2215,6 +2221,9 @@ fi # ||----w | # || || %changelog +* Wed Nov 12 2014 Josh Boyer +- CVE-2014-7841 sctp: NULL ptr deref on malformed packet (rhbz 1163087 1163095) + * Tue Nov 11 2014 Kyle McMartin - 3.18.0-0.rc4.git0.2 - Re-enable kernel-arm64.patch, and fix up merge conflicts with 3.18-rc4 diff --git a/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch b/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch new file mode 100644 index 000000000..34dae532b --- /dev/null +++ b/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch @@ -0,0 +1,77 @@ +From: Daniel Borkmann +Date: Mon, 10 Nov 2014 17:54:26 +0100 +Subject: [PATCH] net: sctp: fix NULL pointer dereference in + af->from_addr_param on malformed packet + +An SCTP server doing ASCONF will panic on malformed INIT ping-of-death +in the form of: + + ------------ INIT[PARAM: SET_PRIMARY_IP] ------------> + +While the INIT chunk parameter verification dissects through many things +in order to detect malformed input, it misses to actually check parameters +inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary +IP address' parameter in ASCONF, which has as a subparameter an address +parameter. + +So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS +or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0 +and thus sctp_get_af_specific() returns NULL, too, which we then happily +dereference unconditionally through af->from_addr_param(). + +The trace for the log: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 +IP: [] sctp_process_init+0x492/0x990 [sctp] +PGD 0 +Oops: 0000 [#1] SMP +[...] +Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs +RIP: 0010:[] [] sctp_process_init+0x492/0x990 [sctp] +[...] +Call Trace: + + [] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp] + [] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp] + [] sctp_do_sm+0x71/0x1210 [sctp] + [] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp] + [] sctp_endpoint_bh_rcv+0x116/0x230 [sctp] + [] sctp_inq_push+0x56/0x80 [sctp] + [] sctp_rcv+0x982/0xa10 [sctp] + [] ? ipt_local_in_hook+0x23/0x28 [iptable_filter] + [] ? nf_iterate+0x69/0xb0 + [] ? ip_local_deliver_finish+0x0/0x2d0 + [] ? nf_hook_slow+0x76/0x120 + [] ? ip_local_deliver_finish+0x0/0x2d0 +[...] + +A minimal way to address this is to check for NULL as we do on all +other such occasions where we know sctp_get_af_specific() could +possibly return with NULL. + +Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT") +Signed-off-by: Daniel Borkmann +Cc: Vlad Yasevich +Acked-by: Neil Horman +Signed-off-by: David S. Miller +--- + net/sctp/sm_make_chunk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c +index ab734be8cb20..9f32741abb1c 100644 +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -2609,6 +2609,9 @@ do_addr_param: + addr_param = param.v + sizeof(sctp_addip_param_t); + + af = sctp_get_af_specific(param_type2af(param.p->type)); ++ if (af == NULL) ++ break; ++ + af->from_addr_param(&addr, addr_param, + htons(asoc->peer.port), 0); + +-- +1.9.3 +