Hello, Secunia Research at Flexera has discovered a vulnerability in Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
Details: ----------------- After a bit of fuzzing and some debugging, I've prepared a program that triggers a BUG() failure at net/core/skbuff.c:104. It happens when an SCTP ABORT message is about to be sent. The main problem seems to be with the data size/length. This becomes a problem when the flow reaches the "skb_put()" function (net/core/skbuff.c) and the "unlikenly()" condition is met. I have just checked the reproducer against the current David Miller net-tree and it doesn't seem to be addressed yet. Proof-of-Concept: ----------------- I wasn't sure if I should share the reproducer via this email. Please let me know what's the preferred channel. Kernel crash message: [ 31.900829] skbuff: skb_over_panic: text:00000000d6dff053 len:68556 put:68544 head:000000001a927f7f data:0000000001696ac8 tail:0x10c84 end:0xec0 dev:<NULL> [ 31.902421] ------------[ cut here ]------------ [ 31.902968] kernel BUG at net/core/skbuff.c:104! [ 31.903559] invalid opcode: 0000 [#1] SMP KASAN PTI [ 31.904159] Modules linked in: [ 31.904541] CPU: 1 PID: 3458 Comm: repro Not tainted 4.15.0+ #2 [ 31.905416] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 31.906749] RIP: 0010:skb_panic+0x152/0x1d0 [ 31.907211] RSP: 0018:ffff880066f766a0 EFLAGS: 00010282 [ 31.907762] RAX: 000000000000008f RBX: ffff8800641ae2c0 RCX: 0000000000000000 [ 31.908527] RDX: 000000000000008f RSI: 1ffff1000cdeec99 RDI: ffffed000cdeecc8 [ 31.909287] RBP: ffffffff84a2efc0 R08: 1ffff1000cdeec6d R09: 0000000000000000 [ 31.910022] R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff83c920f0 [ 31.910770] R13: 0000000000010bc0 R14: ffffffff84a2e860 R15: 0000000000000ec0 [ 31.911514] FS: 00007f4face87700(0000) GS:ffff88006cf00000(0000) knlGS:0000000000000000 [ 31.912367] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 31.912973] CR2: 0000000020020fe5 CR3: 0000000069288000 CR4: 00000000000006e0 [ 31.913708] Call Trace: [ 31.914534] skb_put+0x178/0x1c0 [ 31.914890] sctp_packet_transmit+0x1120/0x3740 [ 31.924671] sctp_outq_flush+0x113a/0x3b90 [ 31.963822] sctp_do_sm+0x4a5c/0x65c0 [ 31.973685] sctp_primitive_ABORT+0x99/0xc0 [ 31.974457] sctp_sendmsg+0x1bb4/0x33a0 [ 31.987812] inet_sendmsg+0x125/0x580 [ 31.991609] sock_sendmsg+0xc0/0x100 [ 31.992320] ___sys_sendmsg+0x714/0x900 [ 31.999903] __sys_sendmsg+0xbd/0x1e0 [ 32.002942] SyS_sendmsg+0x27/0x40 [ 32.003585] entry_SYSCALL_64_fastpath+0x18/0x85 [ 32.004461] RIP: 0033:0x7f4fada2472d [ 32.005130] RSP: 002b:00007f4face86ec0 EFLAGS: 00000293 [ 32.005138] Code: 03 0f b6 04 01 84 c0 74 04 3c 03 7e 20 8b 4b 78 41 56 45 89 e8 41 57 56 48 c7 c7 a0 e8 a2 84 52 48 89 ee 4c 89 e2 e8 00 bd 2d fe <0f> 0b 4c 89 4c 24 10 48 89 54 24 08 48 89 34 24 e8 b9 15 72 fe [ 32.009658] RIP: skb_panic+0x152/0x1d0 RSP: ffff880066f766a0 [ 32.010756] ---[ end trace 239ba69b984ccf99 ]--- Closing Comments: ----------------- We have assigned the vulnerability Secunia Advisory SA81331. A preliminary release date has been set to February 21st, 2018 for the publication of our advisory. However, we are naturally prepared to push the disclosure date in accordance with the Secunia Research Disclosure Policy [1], if you need more time to address the vulnerability as long as you keep us updated on the status. Please don't hesitate to contact us for assistance with confirming/reproducing the reported vulnerability. Credits should go to: "Jakub Jirasek, Secunia Research at Flexera" In the case that a HTTPS URL is allowed within the mentioning of the credits on e.g. your web site, then please utilize the link [2], which could be made to trigger by clicking on the "Secunia Research" parts of the credits for example. We highly appreciate the effort. Please acknowledge receiving this e-mail and let us know when you expect to fix the vulnerability. References: [1] https://secuniaresearch.flexerasoftware.com/community/research/policy/ [2] https://www.flexerasoftware.com/enterprise/company/about/secunia-research/ --- Kind Regards, Jakub Jirasek Team Lead Information Security Analyst Secunia Research at Flexera Arne Jacobsens Allé 7, 5th floor 2300 Copenhagen S Denmark Phone +45 7020 5144 http://www.flexera.com
