Bug 63545 (CVE-2004-1016)

Summary: VUL-0: CVE-2004-1016: kernel: denial of service condition in AF_INET / DGRAM sendmsg
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1016: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: mail.txt
2.6 patch from Herbert Xu

Description Marcus Meissner 2004-11-25 21:42:10 UTC 
paul starzetz reported this denial of service problem in kernels <= 2.4.28. 
 
see attached mail
Comment 1 Marcus Meissner 2004-11-25 21:42:10 UTC 
<!-- SBZ_reproduce  -->
the mail contains a sample crash program.
Comment 2 Marcus Meissner 2004-11-25 21:44:29 UTC 
Created attachment 26456 [details]
mail.txt
Comment 3 Hubert Mantel 2004-11-25 23:23:24 UTC 
Need fix :/
Comment 4 Marcus Meissner 2004-11-25 23:38:31 UTC 
CAN-2004-1016 
 
not public yet. 
 
I think, net/ipv4/ip_sockglue.c::ip_cmsg_send() needs 
a more sensible check that we do not loop back to an old cmsg header. 
 
lets see if vendor-sec brings something up.
Comment 5 Marcus Meissner 2004-11-25 23:46:24 UTC 
the problem seems that it can go into an endless loop. so very easy local 
denial of service.
Comment 6 Marcus Meissner 2004-11-29 20:35:08 UTC 
Created attachment 26520 [details]
2.6 patch from Herbert Xu

Resent-Message-Id: <200411291228.iATCSi8X031567@verein.lst.de>
To: "David S. Miller" <davem@davemloft.net>
Cc: vendor-sec <vendor-sec@lst.de>, Paul Starzetz <ihaquer@isec.pl>,
	Mark J Cox <mjc@redhat.com>, security@isec.pl,
	Martin Pitt <martin.pitt@canonical.com>
Subject: Re: [vendor-sec] Linux kernel <= 2.4.28 DoS
User-Agent: Mutt/1.5.6+20040722i
From: Herbert Xu <herbert@gondor.apana.org.au>
Errors-To: vendor-sec-admin@lst.de
Date: Sat, 27 Nov 2004 12:15:00 +1100

On Thu, 25 Nov 2004, Parul Starzetz wrote:
>
> below a non privileged version of your favourite setuid /sbin/halt=20
> command. On SMP machines you may need to start it few times.

Thanks for the program Paul.

This patch should fix the cmsg_len checking for 2.6.  A 2.4 backport
should be straightforward.

BTW, preempt will mitigate the effects of this particular attack.
However, there may well be other ways to exploit this through the
messages themselves.

Cheers,
Comment 7 Marcus Meissner 2004-11-29 20:40:16 UTC 
not yet disclosed! 
 
patch should be reviewed, might not be final yet. 
 
ccing networking guru ak too.
Comment 8 Olaf Kirch 2004-11-29 20:47:15 UTC 
The patch look sane.
Comment 9 Marcus Meissner 2004-12-09 21:44:28 UTC 
is now public. (in bitkeeper = public)
Comment 10 Marcus Meissner 2004-12-13 17:13:14 UTC 
patch is in, marcus -> tracking
Comment 11 Marcus Meissner 2004-12-22 04:37:30 UTC 
updates and advisory released.
Comment 12 Thomas Biege 2009-10-13 20:00:54 UTC 
CVE-2004-1016: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)