Ben Martel and Stephen Blackheath have discovered a denial-of-service attack that a client of pppd can make that can hang the server machine. The bug is in the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists in the 2.4 series. The attached test case (which works on Debian) demonstrates the problem, and gives some explanation, as well as a suggested patch. Run it in the following way as any user that is capable of running pppd: ~ g++ -o kernel-dos kernel-dos.cpp ~ ./kernel-dos ** This will hang the kernel. ** kernel-dos spawns /usr/bin/pppd and sends it a ppp packet crafted to trigger the kernel bug. The same problem also exists in Linux 2.4.
Created attachment 51322 [details] POC and comments
Patch from Paul Mackerras : diff -urN linux-2.5/drivers/net/ppp_async.c test/drivers/net/ppp_async.c --- linux-2.5/drivers/net/ppp_async.c 2005-01-21 16:02:12.000000000 +1100 +++ test/drivers/net/ppp_async.c 2005-02-25 10:38:05.000000000 +1100 @@ -1000,7 +1000,7 @@ data += 4; dlen -= 4; /* data[0] is code, data[1] is length */ - while (dlen >= 2 && dlen >= data[1]) { + while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) { switch (data[0]) { case LCP_MRU: val = (data[2] << 8) + data[3];
From Ubuntu latest kernel advisory: Ben Martel and Stephen Blackheath found a remote Denial of Service vulnerability in the PPP driver. This allowed a malicious pppd client to crash the server machine. (CAN-2005-0384)
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all of these...
Fixed in gentoo-dev-sources-2.6.11-r4
mips-sources fixed.
Fixed in usermode-sources-2.6.11
Fixed in ck-sources-2.6.11-r7
Fixed in 2.4 since 2.4.30-rc1 From solar : grsec-sources-2.4.30 is in the tree as ~arch. Note for other bumpers of 2.4.x series. CAN-2004-1056.patch and linux-2.4.28-random-poolsize.patch have never been applied to mainline.
All fixed, closing bug.
http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=2b68239ff70ab5ff848181db88a967b67f744e25