First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 82201
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
kernel-dos.cpp POC and comments application/octet-stream Sune Kloppenborg Jeppesen 2005-02-15 22:16 0000 12.72 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 82201 depends on: Show dependency tree
Show dependency graph
Bug 82201 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-02-15 22:13 0000 
Ben Martel and Stephen Blackheath have discovered a denial-of-service attack
that a client of pppd can make that can hang the server machine.  The bug is in
the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists
in the 2.4 series.

The attached test case (which works on Debian) demonstrates the problem,
and gives some explanation, as well as a suggested patch.

Run it in the following way as any user that is capable of running pppd:

~  g++ -o kernel-dos kernel-dos.cpp
~  ./kernel-dos

** This will hang the kernel. **

kernel-dos spawns /usr/bin/pppd and sends it a ppp packet crafted to
trigger the kernel bug.


The same problem also exists in Linux 2.4.

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-02-15 22:16:18 0000 ------- 
Created an attachment (id=51322) [edit]
POC and comments

------- Comment #2 From Thierry Carrez (RETIRED) 2005-03-02 06:18:34 0000 ------- 
Patch from Paul Mackerras :

diff -urN linux-2.5/drivers/net/ppp_async.c test/drivers/net/ppp_async.c
--- linux-2.5/drivers/net/ppp_async.c	2005-01-21 16:02:12.000000000 +1100
+++ test/drivers/net/ppp_async.c	2005-02-25 10:38:05.000000000 +1100
@@ -1000,7 +1000,7 @@
 	data += 4;
 	dlen -= 4;
 	/* data[0] is code, data[1] is length */
-	while (dlen >= 2 && dlen >= data[1]) {
+	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
 		switch (data[0]) {
 		case LCP_MRU:
 			val = (data[2] << 8) + data[3];

------- Comment #3 From Thierry Carrez (RETIRED) 2005-03-16 02:21:53 0000 ------- 
From Ubuntu latest kernel advisory:

Ben Martel and Stephen Blackheath found a remote Denial of Service
vulnerability in the PPP driver. This allowed a malicious pppd client
to crash the server machine. (CAN-2005-0384)

------- Comment #4 From Thierry Carrez (RETIRED) 2005-03-16 03:16:45 0000 ------- 
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all
of these...

------- Comment #5 From Daniel Drake 2005-03-19 06:18:02 0000 ------- 
Fixed in gentoo-dev-sources-2.6.11-r4

------- Comment #6 From Joshua Kinard 2005-04-23 22:25:23 0000 ------- 
mips-sources fixed.

------- Comment #7 From Daniel Drake 2005-04-29 17:40:21 0000 ------- 
Fixed in usermode-sources-2.6.11

------- Comment #8 From Daniel Drake 2005-05-10 15:34:00 0000 ------- 
Fixed in ck-sources-2.6.11-r7

------- Comment #9 From Thierry Carrez (RETIRED) 2005-05-23 05:00:55 0000 ------- 
Fixed in 2.4 since 2.4.30-rc1

From solar :
grsec-sources-2.4.30 is in the tree as ~arch.

Note for other bumpers of 2.4.x series.
CAN-2004-1056.patch and linux-2.4.28-random-poolsize.patch have never 
been applied to mainline.

------- Comment #10 From Tim Yamin (RETIRED) 2005-08-20 11:38:40 0000 ------- 
All fixed, closing bug.
First Last Prev Next    No search results available      Search page      Enter new bug