Debian Linux Kernel 3.2.63 Remote Denial of Service

105   2019-08-05 08:08   nipc
漏洞信息
漏洞编号: 1311
CVE编号: CVE-2014-7207
漏洞类型: -
漏洞来源: cxs
发布日期: 2014-11-02
CVSS
CVSS值: 4.9/10
严重级别: 中危
利用范围: Local
攻击复杂度: Low
认证级别: No required
漏洞描述

WLB-2014110006[***]http://cxsecurity.com/issue/WLB-2014110006[***]Bug: Debian Linux Kernel 3.2.63 Remote Denial of Service ( Ascii Version )[***]Debian Linux Kernel 3.2.63 Remote Denial of Service[***]2014.11.02[***]Julien[***]Medium[***]N/A [***]CVE-2014-7207@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********[***]No[***]Yes[***]4.9/10[***]6.9/10[***]3.9/10[***]Local[***]No required[***]Complete[***]None[***]None[***] Hi,@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** after the latest point release some debian.org hosts became unreliable.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** That was tracked down to a panic in the networking code. Ben provided a@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** test patch:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** From: Ben Hutchings <ben@decadent.org.uk>@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Date: Tue, 21 Oct 2014 00:49:22 +0100@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Subject: ipv6: ipv6_select_ident: handle null rt@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Forwarded: not-needed@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** In Linux 3.2, ipv6_select_ident() can apparently still be called with@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** rt == NULL and must avoid dereferencing it in this case.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** We should probably fix the callers, so WARN_ON_ONCE to get a clue@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** about how this happens.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ---@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** --- a/net/ipv6/ip6_output.c@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** +++ b/net/ipv6/ip6_output.c@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@ -604,13 +604,18 @@ void ipv6_select_ident(struct frag_hdr *@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** static bool hashrnd_initialized = false;@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** u32 hash, id;@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** + if (WARN_ON_ONCE(!rt)) {@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** + hash = 0;@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** + goto reserve;@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** + }@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** +@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** if (unlikely(!hashrnd_initialized)) {@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** hashrnd_initialized = true;@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** get_random_bytes(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** }@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd);@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash);@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** -@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** +reserve:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** id = ip_idents_reserve(hash, 1);@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** fhdr->identification = htonl(id);@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** }@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** which resulted in the following trace:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** [ 436.375412] -----

POC

Hi, after the latest point release some debian.org hosts became unreliable. That was tracked down to a panic in the networking code. Ben provided a test patch: From: Ben Hutchings <ben@decadent.org.uk> Date: Tue, 21 Oct 2014 00:49:22 +0100 Subject: ipv6: ipv6_select_ident: handle null rt Forwarded: not-needed In Linux 3.2, ipv6_select_ident() can apparently still be called with rt == NULL and must avoid dereferencing it in this case. We should probably fix the callers, so WARN_ON_ONCE to get a clue about how this happens. --- --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -604,13 +604,18 @@ void ipv6_select_ident(struct frag_hdr * static bool hashrnd_initialized = false; u32 hash, id; + if (WARN_ON_ONCE(!rt)) { + hash = 0; + goto reserve; + } + if (unlikely(!hashrnd_initialized)) { hashrnd_initialized = true; get_random_bytes(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd)); } hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd); hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash); - +reserve: id = ip_idents_reserve(hash, 1); fhdr->identification = htonl(id); } which resulted in the following trace: [ 436.375412] ------------[ cut here ]------------ [ 436.375439] WARNING: at /usr/src/linux-3.2.63/net/ipv6/ip6_output.c:607 ipv6_select_ident+0x28/0x8b() [ 436.375446] Hardware name: ProLiant DL585 G2 [ 436.375451] Modules linked in: ipmi_devintf ip6t_REJECT ip6t_LOG nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables ipt_REJECT ipt_ULOG xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ses xt_hashlimit enclosure xt_multiport iptable_filter ip_tables x_tables crc32c ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi bridge sd_mod dm_round_robin crc_t10dif bonding xfs ext4 crc16 jbd2 hmac drbd lru_cache 8021q garp stp dm_snapshot loop dm_multipath scsi_dh vhost_net tun macvtap macvlan kvm_amd kvm radeon ttm ipmi_si drm_kms_helper ipmi_msghandler k8temp powernow_k8 mperf hpilo drm power_supply i2c_algo_bit shpchp amd64_edac_mod edac_mce_amd edac_core psmouse hpwdt i2c_core snd_pcm snd_page_alloc snd_timer snd soundcore processor cdc_acm pcspkr evdev serio_raw container button thermal_sys ext3 mbcache jbd dm_mod usbhid hid sg sr_mod cdrom hpsa ata_generic lpfc pata_amd uhci_hcd libata scsi_transport_fc scsi_tgt ohci_hcd bnx2 ehci_hcd cciss scsi_mod usbcore usb_common [last unloaded: scsi_wait_scan] [ 436.375642] Pid: 12085, comm: unbound Not tainted 3.2.0-4-amd64 #1 Debian 3.2.63-2a~test [ 436.375647] Call Trace: [ 436.375666] [<ffffffff81046d61>] ? warn_slowpath_common+0x78/0x8c [ 436.375676] [<ffffffff812ff40f>] ? ipv6_select_ident+0x28/0x8b [ 436.375685] [<ffffffff81311411>] ? udp6_ufo_fragment+0x124/0x1a2 [ 436.375696] [<ffffffff812fd569>] ? ipv6_gso_segment+0xb8/0x14e [ 436.375705] [<ffffffff81036273>] ? __wake_up_common+0x40/0x77 [ 436.375715] [<ffffffff812905b4>] ? skb_gso_segment+0x208/0x28b [ 436.375725] [<ffffffff81037f7b>] ? __wake_up+0x35/0x46 [ 436.375734] [<ffffffff81071295>] ? arch_local_irq_save+0x11/0x17 [ 436.375746] [<ffffffff813508f9>] ? _raw_spin_lock_irqsave+0x9/0x25 [ 436.375756] [<ffffffff8105266a>] ? lock_timer_base.isra.29+0x23/0x47 [ 436.375764] [<ffffffff81350937>] ? _raw_spin_unlock_irqrestore+0xe/0xf [ 436.375771] [<ffffffff81052926>] ? __mod_timer+0x139/0x14b [ 436.375781] [<ffffffff8104c2c9>] ? _local_bh_enable_ip.isra.11+0x1e/0x88 [ 436.375794] [<ffffffffa06b159a>] ? ip6t_do_table+0x5b2/0x5e4 [ip6_tables] [ 436.375805] [<ffffffff81292337>] ? dev_hard_start_xmit+0x32d/0x518 [ 436.375814] [<ffffffff812b28bd>] ? nf_iterate+0x41/0x77 [ 436.375823] [<ffffffff812a8a63>] ? sch_direct_xmit+0x61/0x135 [ 436.375833] [<ffffffff812927e4>] ? dev_queue_xmit+0x2c2/0x46b [ 436.375856] [<ffffffffa05db84b>] ? br_dev_queue_push_xmit+0x9b/0x9f [bridge] [ 436.375871] [<ffffffffa05da31d>] ? br_dev_xmit+0x12e/0x142 [bridge] [ 436.375880] [<ffffffff812923dc>] ? dev_hard_start_xmit+0x3d2/0x518 [ 436.375888] [<ffffffff812ffc73>] ? ip6_fragment+0x801/0x801 [ 436.375