Bugzilla – Bug 848079
VUL-1: CVE-2013-4348: kernel: endless loop in skb_flow_dissect
Last modified: 2015-02-19 10:16:25 UTC
EMBARGOED until Oct 31, via linux-distros CVE-2013-4348 Jason Wang <jasowang@redhat.com> writes: There's a deadloop path in skb_flow_dissect(): bool skb_flow_dissect(const struct sk_buff *skb, struct flow_keys *flow) { .. ip: iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); if (!iph) return false; if (ip_is_fragment(iph)) ip_proto = 0; else ip_proto = iph->protocol; iph_to_flow_copy_addrs(flow, iph); nhoff += iph->ihl * 4; break; .. Here the code does not check whether iph->ihl is zero which may cause deadloop if a malicous IPIP packet whose ihl is zero. See the above codes for IPIP. Since the pointer was not move ahead. .. case IPPROTO_IPIP: proto = htons(ETH_P_IP); goto ip; .. } skb_flow_dissect() were used by several places: - packet scheduler that want classify flows - skb_get_rxhash() that will be used by RPS, vxlan, multiqueue tap,macvtap packet fanout - skb_probe_transport_header() which was used for probing transport header for DODGY packets - __skb_get_poff() which will be used by socket filter So this could be used to DOS both local and remote machine. I was able to - DOS the local host machine - DOS the local host machine by run the reproducer in guest - DOS one guest with RPS enabled by running the reproducer in another guest in the same host. I believe it could be also used to DOS a remote machine, but I didn't try. The issue were introduced by commit 0744dd00c1b1be99a25b62b1b48df440e82e57e0 (net: introduce skb_flow_dissect()). The fix looks easy, just fail when iph->ihl is zero. diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c index 0ff42f0..286db61 100644 --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -40,7 +40,7 @@ again: struct iphdr _iph; ip: iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); - if (!iph) + if (!iph || !iph->ihl) return false; if (ip_is_fragment(iph))
introduced by commit 0744dd00c1b1be99a25b62b1b48df440e82e57e0 Author: Eric Dumazet <eric.dumazet@gmail.com> Date: Mon Nov 28 05:22:18 2011 +0000 during 3.2 development
bugbot adjusting priority
Not affecting any TD branch
public https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=6f092343855a71e03b8d209815d8c45bf3a27fcd
SLE12: has it. SLE11-SP2: not affected, flow dissector came in 3.3 oS12.2: has it. oS12.3: applied. oS13.1: has it. Closing.
openSUSE-SU-2014:0204-1: An update that solves 16 vulnerabilities and has 12 fixes is now available. Category: security (important) Bug References: 804950,805226,808358,811746,825006,831836,838024,840226,840656,844513,848079,848255,849021,849023,849029,849034,849362,852373,852558,852559,853050,853051,853052,853053,854173,854634,854722,860993 CVE References: CVE-2013-0343,CVE-2013-1792,CVE-2013-4348,CVE-2013-4511,CVE-2013-4513,CVE-2013-4514,CVE-2013-4515,CVE-2013-4587,CVE-2013-6367,CVE-2013-6368,CVE-2013-6376,CVE-2013-6378,CVE-2013-6380,CVE-2013-6431,CVE-2013-7027,CVE-2014-0038 Sources used: openSUSE 12.3 (src): kernel-docs-3.7.10-1.28.2, kernel-source-3.7.10-1.28.1, kernel-syms-3.7.10-1.28.1