Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 82201 - Remote Linux DoS on ppp servers (CAN-2005-0384)
Summary: Remote Linux DoS on ppp servers (CAN-2005-0384)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All All
: High critical (vote)
Assignee: Gentoo Security
URL: http://www.ubuntulinux.org/support/do...
Whiteboard: [linux < 2.4.30] [linux >= 2.6 < 2.6....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-15 22:13 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2009-05-03 15:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
POC and comments (kernel-dos.cpp,12.72 KB, application/octet-stream)
2005-02-15 22:16 UTC, Sune Kloppenborg Jeppesen (RETIRED) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-15 22:13:45 UTC 
Ben Martel and Stephen Blackheath have discovered a denial-of-service attack that a client of pppd can make that can hang the server machine.  The bug is in
the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists
in the 2.4 series.

The attached test case (which works on Debian) demonstrates the problem,
and gives some explanation, as well as a suggested patch.

Run it in the following way as any user that is capable of running pppd:

~  g++ -o kernel-dos kernel-dos.cpp
~  ./kernel-dos

** This will hang the kernel. **

kernel-dos spawns /usr/bin/pppd and sends it a ppp packet crafted to
trigger the kernel bug.


The same problem also exists in Linux 2.4.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-15 22:16:18 UTC 
Created attachment 51322 [details]
POC and comments
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 06:18:34 UTC 
Patch from Paul Mackerras :

diff -urN linux-2.5/drivers/net/ppp_async.c test/drivers/net/ppp_async.c
--- linux-2.5/drivers/net/ppp_async.c	2005-01-21 16:02:12.000000000 +1100
+++ test/drivers/net/ppp_async.c	2005-02-25 10:38:05.000000000 +1100
@@ -1000,7 +1000,7 @@
 	data += 4;
 	dlen -= 4;
 	/* data[0] is code, data[1] is length */
-	while (dlen >= 2 && dlen >= data[1]) {
+	while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) {
 		switch (data[0]) {
 		case LCP_MRU:
 			val = (data[2] << 8) + data[3];
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-03-16 02:21:53 UTC 
From Ubuntu latest kernel advisory:

Ben Martel and Stephen Blackheath found a remote Denial of Service
vulnerability in the PPP driver. This allowed a malicious pppd client
to crash the server machine. (CAN-2005-0384)
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-03-16 03:16:45 UTC 
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all
of these...
Comment 5 Daniel Drake (RETIRED) gentoo-dev 2005-03-19 06:18:02 UTC 
Fixed in gentoo-dev-sources-2.6.11-r4
Comment 6 Joshua Kinard gentoo-dev 2005-04-23 22:25:23 UTC 
mips-sources fixed.
Comment 7 Daniel Drake (RETIRED) gentoo-dev 2005-04-29 17:40:21 UTC 
Fixed in usermode-sources-2.6.11
Comment 8 Daniel Drake (RETIRED) gentoo-dev 2005-05-10 15:34:00 UTC 
Fixed in ck-sources-2.6.11-r7
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-05-23 05:00:55 UTC 
Fixed in 2.4 since 2.4.30-rc1

From solar :
grsec-sources-2.4.30 is in the tree as ~arch.

Note for other bumpers of 2.4.x series.
CAN-2004-1056.patch and linux-2.4.28-random-poolsize.patch have never 
been applied to mainline.
Comment 10 Tim Yamin (RETIRED) gentoo-dev 2005-08-20 11:38:40 UTC 
All fixed, closing bug.