Debian Linux Kernel 3.2.63 Remote Denial of Service

2014.11.02
Credit: Julien
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: None
Availability impact: None

Hi, after the latest point release some debian.org hosts became unreliable. That was tracked down to a panic in the networking code. Ben provided a test patch: From: Ben Hutchings <ben@decadent.org.uk> Date: Tue, 21 Oct 2014 00:49:22 +0100 Subject: ipv6: ipv6_select_ident: handle null rt Forwarded: not-needed In Linux 3.2, ipv6_select_ident() can apparently still be called with rt == NULL and must avoid dereferencing it in this case. We should probably fix the callers, so WARN_ON_ONCE to get a clue about how this happens. --- --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -604,13 +604,18 @@ void ipv6_select_ident(struct frag_hdr * static bool hashrnd_initialized = false; u32 hash, id; + if (WARN_ON_ONCE(!rt)) { + hash = 0; + goto reserve; + } + if (unlikely(!hashrnd_initialized)) { hashrnd_initialized = true; get_random_bytes(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); } hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd); hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash); - +reserve: id = ip_idents_reserve(hash, 1); fhdr->identification = htonl(id); } which resulted in the following trace: [ 436.375412] ------------[ cut here ]------------ [ 436.375439] WARNING: at /usr/src/linux-3.2.63/net/ipv6/ip6_output.c:607 ipv6_select_ident+0x28/0x8b() [ 436.375446] Hardware name: ProLiant DL585 G2 [ 436.375451] Modules linked in: ipmi_devintf ip6t_REJECT ip6t_LOG nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables ipt_REJECT ipt_ULOG xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ses xt_hashlimit enclosure xt_multiport iptable_filter ip_tables x_tables crc32c ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi bridge sd_mod dm_round_robin crc_t10dif bonding xfs ext4 crc16 jbd2 hmac drbd lru_cache 8021q garp stp dm_snapshot loop dm_multipath scsi_dh vhost_net tun macvtap macvlan kvm_amd kvm radeon ttm ipmi_si drm_kms_helper ipmi_msghandler k8temp powernow_k8 mperf hpilo drm power_supply i2c_algo_bit shpchp amd64_edac_mod edac_mce_amd edac_core psmouse hpwdt i2c_core snd_pcm snd_page_alloc snd_timer snd soundcore processor cdc_acm pcspkr evdev serio_raw container button thermal_sys ext3 mbcache jbd dm_mod usbhid hid sg sr_mod cdrom hpsa ata_generic lpfc pata_amd uhci_hcd libata scsi_transport_fc scsi_tgt ohci_hcd bnx2 ehci_hcd cciss scsi_mod usbcore usb_common [last unloaded: scsi_wait_scan] [ 436.375642] Pid: 12085, comm: unbound Not tainted 3.2.0-4-amd64 #1 Debian 3.2.63-2a~test [ 436.375647] Call Trace: [ 436.375666] [<ffffffff81046d61>] ? warn_slowpath_common+0x78/0x8c [ 436.375676] [<ffffffff812ff40f>] ? ipv6_select_ident+0x28/0x8b [ 436.375685] [<ffffffff81311411>] ? udp6_ufo_fragment+0x124/0x1a2 [ 436.375696] [<ffffffff812fd569>] ? ipv6_gso_segment+0xb8/0x14e [ 436.375705] [<ffffffff81036273>] ? __wake_up_common+0x40/0x77 [ 436.375715] [<ffffffff812905b4>] ? skb_gso_segment+0x208/0x28b [ 436.375725] [<ffffffff81037f7b>] ? __wake_up+0x35/0x46 [ 436.375734] [<ffffffff81071295>] ? arch_local_irq_save+0x11/0x17 [ 436.375746] [<ffffffff813508f9>] ? _raw_spin_lock_irqsave+0x9/0x25 [ 436.375756] [<ffffffff8105266a>] ? lock_timer_base.isra.29+0x23/0x47 [ 436.375764] [<ffffffff81350937>] ? _raw_spin_unlock_irqrestore+0xe/0xf [ 436.375771] [<ffffffff81052926>] ? __mod_timer+0x139/0x14b [ 436.375781] [<ffffffff8104c2c9>] ? _local_bh_enable_ip.isra.11+0x1e/0x88 [ 436.375794] [<ffffffffa06b159a>] ? ip6t_do_table+0x5b2/0x5e4 [ip6_tables] [ 436.375805] [<ffffffff81292337>] ? dev_hard_start_xmit+0x32d/0x518 [ 436.375814] [<ffffffff812b28bd>] ? nf_iterate+0x41/0x77 [ 436.375823] [<ffffffff812a8a63>] ? sch_direct_xmit+0x61/0x135 [ 436.375833] [<ffffffff812927e4>] ? dev_queue_xmit+0x2c2/0x46b [ 436.375856] [<ffffffffa05db84b>] ? br_dev_queue_push_xmit+0x9b/0x9f [bridge] [ 436.375871] [<ffffffffa05da31d>] ? br_dev_xmit+0x12e/0x142 [bridge] [ 436.375880] [<ffffffff812923dc>] ? dev_hard_start_xmit+0x3d2/0x518 [ 436.375888] [<ffffffff812ffc73>] ? ip6_fragment+0x801/0x801 [ 436.375897] [<ffffffff812928e3>] ? dev_queue_xmit+0x3c1/0x46b [ 436.375906] [<ffffffff812fe8b6>] ? ip6_finish_output2+0x216/0x26a [ 436.375916] [<ffffffff81300d08>] ? ip6_push_pending_frames+0x307/0x391 [ 436.375925] [<ffffffff813117f1>] ? udp_v6_push_pending_frames+0x284/0x2fc [ 436.375934] [<ffffffff81312855>] ? udpv6_sendmsg+0x6e0/0x8a0 [ 436.375942] [<ffffffff810411d9>] ? find_busiest_group+0x1f5/0x805 [ 436.375956] [<ffffffff81280461>] ? sock_sendmsg+0xc1/0xde [ 436.375965] [<ffffffff812de4c2>] ? inet_recvmsg+0x5b/0x6f [ 436.375974] [<ffffffff81280340>] ? sock_recvmsg+0xcd/0xec [ 436.375982] [<ffffffff8128382c>] ? sock_kmalloc+0x41/0x63 [ 436.375989] [<ffffffff8128382c>] ? sock_kmalloc+0x41/0x63 [ 436.375999] [<ffffffff810ed0ca>] ? __kmalloc+0x100/0x112 [ 436.376032] [<ffffffff81036618>] ? should_resched+0x5/0x23 [ 436.376040] [<ffffffff81036618>] ? should_resched+0x5/0x23 [ 436.376048] [<ffffffff8134f56c>] ? _cond_resched+0x7/0x1c [ 436.376056] [<ffffffff8127eeaf>] ? copy_from_user+0x18/0x30 [ 436.376065] [<ffffffff81280717>] ? ___sys_sendmsg+0x209/0x2a9 [ 436.376075] [<ffffffff812d6e79>] ? udp_poll+0xf/0x42 [ 436.376082] [<ffffffff81036618>] ? should_resched+0x5/0x23 [ 436.376089] [<ffffffff8134f56c>] ? _cond_resched+0x7/0x1c [ 436.376106] [<ffffffff8128125c>] ? move_addr_to_user+0x70/0x8a [ 436.376123] [<ffffffff81281e90>] ? sys_recvfrom+0xfd/0x12a [ 436.376139] [<ffffffff81350937>] ? _raw_spin_unlock_irqrestore+0xe/0xf [ 436.376159] [<ffffffff810fc3b6>] ? fget_light+0x2e/0x7b [ 436.376175] [<ffffffff81282087>] ? __sys_sendmsg+0x39/0x58 [ 436.376192] [<ffffffff813559d2>] ? system_call_fastpath+0x16/0x1b [ 436.376203] ---[ end trace dfa37d448a0a925f ]--- It looks like that ipv6_select_ident call in udp6_ufo_fragment was removed in 3.14 by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=916e4cf46d0204806c062c8c6c4d1f633852c5b6 Cheers, Julien

References:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=916e4cf46d0204806c062c8c6c4d1f633852c5b6
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766195


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top