Bug 65857 (CVE-2005-0384)

Summary: VUL-0: CVE-2005-0384: kernel: remote DoS in PPP code
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: ihno, mfrueh, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0384: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: kernel-ppp-dos.cpp
kernel-ppp-dos.diff
Proposed patch

Description Thomas Biege 2005-02-15 22:22:07 UTC 
Hi, 
from vendor-sec (not public) 
 
From: Martin Schulze <joey@infodrom.org> 
To: Free Software Distribution Vendors <vendor-sec@lst.de> 
Cc: Marcelo Tosatti <marcelo.tosatti@cyclades.com> 
User-Agent: Mutt/1.5.6+20040907i 
Subject: [vendor-sec] CAN-2005-0384: Remote Linux DoS on ppp servers 
Errors-To: vendor-sec-admin@lst.de 
Date: Tue, 15 Feb 2005 09:16:26 +0100 
 
Ben Martel and Stephen Blackheath have discovered a denial-of-service 
attack that a 
client of pppd can make that can hang the server machine.  The bug is in 
the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists 
in the 2.4 series. 
 
The attached test case (which works on Debian) demonstrates the problem, 
and gives some explanation, as well as a suggested patch. 
 
Run it in the following way as any user that is capable of running pppd: 
 
~  g++ -o kernel-dos kernel-dos.cpp 
~  ./kernel-dos 
 
** This will hang the kernel. ** 
 
kernel-dos spawns /usr/bin/pppd and sends it a ppp packet crafted to 
trigger the kernel bug. 
 
 
The same problem also exists in Linux 2.4. 
 
Marcelo, what do you think about the proposed patch? 
 
Regards, 
 
        Joey 
 
--
Comment 1 Thomas Biege 2005-02-15 22:22:08 UTC 
<!-- SBZ_reproduce  -->
code attached
Comment 2 Olaf Kirch 2005-02-16 00:11:57 UTC 
There's no code attached to this report :)
Comment 3 Thomas Biege 2005-02-16 00:15:20 UTC 
Created attachment 28503 [details]
kernel-ppp-dos.cpp

test code
Comment 4 Thomas Biege 2005-02-16 00:15:37 UTC 
Created attachment 28504 [details]
kernel-ppp-dos.diff
Comment 5 Olaf Kirch 2005-02-16 00:28:18 UTC 
This is the first two-line patch with a copyright notice I've seen :-) 
It fixes the problem; but while they were at it they might as well 
have made sure the len is always correct. Slightly improved patch 
attached.
Comment 6 Olaf Kirch 2005-02-16 00:28:45 UTC 
Created attachment 28505 [details]
Proposed patch
Comment 7 Thomas Biege 2005-02-25 10:04:40 UTC 
From: Paul Mackerras <paulus@au1.ibm.com> 
To: Martin Schulze <joey@infodrom.org> 
Cc: Free Software Distribution Vendors <vendor-sec@lst.de>, 
        Marcelo Tosatti <marcelo.tosatti@cyclades.com> 
Subject: Re: [vendor-sec] CAN-2005-0384: Remote Linux DoS on ppp servers 
Errors-To: vendor-sec-admin@lst.de 
Date: Fri, 25 Feb 2005 13:48:50 +1100 
 
Martin Schulze writes: 
 
> Ben Martel and Stephen Blackheath have discovered a denial-of-service attack 
that a 
> client of pppd can make that can hang the server machine.  The bug is in 
> the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists 
> in the 2.4 series. 
 
Yes, this is my bug. :( 
 
> The same problem also exists in Linux 2.4. 
> 
> Marcelo, what do you think about the proposed patch? 
 
I would just do this instead: 
 
diff -urN linux-2.5/drivers/net/ppp_async.c test/drivers/net/ppp_async.c 
--- linux-2.5/drivers/net/ppp_async.c   2005-01-21 16:02:12.000000000 +1100 
+++ test/drivers/net/ppp_async.c        2005-02-25 10:38:05.000000000 +1100 
@@ -1000,7 +1000,7 @@ 
        data += 4; 
        dlen -= 4; 
        /* data[0] is code, data[1] is length */ 
-       while (dlen >= 2 && dlen >= data[1]) { 
+       while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) { 
                switch (data[0]) { 
                case LCP_MRU: 
                        val = (data[2] << 8) + data[3]; 
 
Is there any embargo on this issue?  I would like to get this fix into 
2.6.11, which will be released RSN. 
 
Paul. 
_______________________________________________
Comment 8 Thomas Biege 2005-02-25 10:05:43 UTC 
[...] 
Hmm, ok. 
 
> Is there any embargo on this issue?  I would like to get this fix into 
> 2.6.11, which will be released RSN. 
 
I'd go March 14/15/16th if possible. 
 
Regards, 
 
        Joey 
 
 
--
Comment 9 Marcus Meissner 2005-03-10 08:19:06 UTC 
added karsten
Comment 10 Hubert Mantel 2005-03-11 11:47:10 UTC 
Ok, fix is only in the 2.4 trees so far (because it was needed for SLES8 SP4).
Will commit to the 2.6 trees on monday, when the issue becomes public.
Comment 11 Marcus Meissner 2005-03-14 14:20:46 UTC 
becomes public on 15.3.2005
Comment 12 Marcus Meissner 2005-03-16 09:38:05 UTC 
surface for qa
Comment 13 Hubert Mantel 2005-03-16 11:13:05 UTC 
Fix is in all trees now.
Comment 14 Marcus Meissner 2005-03-16 11:40:53 UTC 
for tracking
Comment 15 Marcus Meissner 2005-03-24 17:24:12 UTC 
updates and advisory released
Comment 16 Thomas Biege 2009-10-13 21:06:12 UTC 
CVE-2005-0384: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)