Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 174209 (CVE-2007-1357)

Summary: Kernel: [APPLETALK]: Fix a remotely triggerable crash (CVE-2007-1357)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=75559c167bddc1254db5bcff032ad5eed8bd6f4a
Whiteboard: [linux < 2.6.20.5][gp < 2.6.20-6] [linux < 2.6.20.5][gp < 2.6.20-6]
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 20:18:37 UTC 
When we receive an AppleTalk frame shorter than what its header says,
 we still attempt to verify its checksum, and trip on the BUG_ON() at
 the end of function atalk_sum_skb() because of the length mismatch.
 
 This has security implications because this can be triggered by simply
 sending a specially crafted ethernet frame to a target victim,
 effectively crashing that host. Thus this qualifies, I think, as a
 remote DoS. Here is the frame I used to trigger the crash, in npg
 format:
 
 <Appletalk Killer>
 {
 # Ethernet header -----
 
   XX XX XX XX XX XX  # Destination MAC
   00 00 00 00 00 00  # Source MAC
   00 1D              # Length
 
 # LLC header -----
 
   AA AA 03
   08 00 07 80 9B  # Appletalk
 
 # Appletalk header -----
 
   00 1B        # Packet length (invalid)
   00 01        # Fake checksum
   00 00 00 00  # Destination and source networks
   00 00 00 00  # Destination and source nodes and ports
 
 # Payload -----
 
   0C 0D 0E 0F 10 11 12 13
   14
 }
 
 The destination MAC address must be set to those of the victim.
 
 The severity is mitigated by two requirements:
 * The target host must have the appletalk kernel module loaded. I
   suspect this isn't so frequent.
 * AppleTalk frames are non-IP, thus I guess they can only travel on
   local networks. I am no network expert though, maybe it is possible
   to somehow encapsulate AppleTalk packets over IP.
 
 The bug has been reported back in June 2004:
   http://bugzilla.kernel.org/show_bug.cgi?id=2979
 But it wasn't investigated, and was closed in July 2006 as both
 reporters had vanished meanwhile.
 
 This code was new in kernel 2.6.0-test5:
   http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
 And not modified since then, so we can assume that vanilla kernels
 2.6.0-test5 and later, and distribution kernels based thereon, are
 affected.
 
 Note that I still do not know for sure what triggered the bug in the
 real-world cases. The frame could have been corrupted by the kernel if
 we have a bug hiding somewhere. But more likely, we are receiving the
 faulty frame from the network.
 
 Signed-off-by: Jean Delvare <jdelvare@suse.de>
 Signed-off-by: David S. Miller <davem@davemloft.net>
Comment 1 unnamedrambler 2008-03-08 19:15:41 UTC 
metadata:
[linux < 2.6.20.5]
f8c08c340b8308ca0afb19d62f71b2b39ccfc9e0

[gp < 2.6.20-6]