Bug 63545 (CVE-2004-1016) - VUL-0: CVE-2004-1016: kernel: denial of service condition in AF_INET / DGRAM sendmsg
Summary: VUL-0: CVE-2004-1016: kernel: denial of service condition in AF_INET / DGRAM ...
Status: RESOLVED FIXED
Alias: CVE-2004-1016
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-1016: CVSS v2 Base Score: 2....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-25 21:42 UTC by Marcus Meissner
Modified: 2021-09-28 08:11 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
mail.txt (2.54 KB, text/plain)
2004-11-25 21:44 UTC, Marcus Meissner 		Details
2.6 patch from Herbert Xu (2.77 KB, patch)
2004-11-29 20:35 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2004-11-25 21:42:10 UTC 
paul starzetz reported this denial of service problem in kernels <= 2.4.28. 
 
see attached mail
Comment 1 Marcus Meissner 2004-11-25 21:42:10 UTC 
<!-- SBZ_reproduce  -->
the mail contains a sample crash program.
Comment 2 Marcus Meissner 2004-11-25 21:44:29 UTC 
Created attachment 26456 [details]
mail.txt
Comment 3 Hubert Mantel 2004-11-25 23:23:24 UTC 
Need fix :/
Comment 4 Marcus Meissner 2004-11-25 23:38:31 UTC 
CAN-2004-1016 
 
not public yet. 
 
I think, net/ipv4/ip_sockglue.c::ip_cmsg_send() needs 
a more sensible check that we do not loop back to an old cmsg header. 
 
lets see if vendor-sec brings something up.
Comment 5 Marcus Meissner 2004-11-25 23:46:24 UTC 
the problem seems that it can go into an endless loop. so very easy local 
denial of service.
Comment 6 Marcus Meissner 2004-11-29 20:35:08 UTC 
Created attachment 26520 [details]
2.6 patch from Herbert Xu

Resent-Message-Id: <200411291228.iATCSi8X031567@verein.lst.de>
To: "David S. Miller" <davem@davemloft.net>
Cc: vendor-sec <vendor-sec@lst.de>, Paul Starzetz <ihaquer@isec.pl>,
	Mark J Cox <mjc@redhat.com>, security@isec.pl,
	Martin Pitt <martin.pitt@canonical.com>
Subject: Re: [vendor-sec] Linux kernel <= 2.4.28 DoS
User-Agent: Mutt/1.5.6+20040722i
From: Herbert Xu <herbert@gondor.apana.org.au>
Errors-To: vendor-sec-admin@lst.de
Date: Sat, 27 Nov 2004 12:15:00 +1100

On Thu, 25 Nov 2004, Parul Starzetz wrote:
>
> below a non privileged version of your favourite setuid /sbin/halt=20
> command. On SMP machines you may need to start it few times.

Thanks for the program Paul.

This patch should fix the cmsg_len checking for 2.6.  A 2.4 backport
should be straightforward.

BTW, preempt will mitigate the effects of this particular attack.
However, there may well be other ways to exploit this through the
messages themselves.

Cheers,
Comment 7 Marcus Meissner 2004-11-29 20:40:16 UTC 
not yet disclosed! 
 
patch should be reviewed, might not be final yet. 
 
ccing networking guru ak too.
Comment 8 Olaf Kirch 2004-11-29 20:47:15 UTC 
The patch look sane.
Comment 9 Marcus Meissner 2004-12-09 21:44:28 UTC 
is now public. (in bitkeeper = public)
Comment 10 Marcus Meissner 2004-12-13 17:13:14 UTC 
patch is in, marcus -> tracking
Comment 11 Marcus Meissner 2004-12-22 04:37:30 UTC 
updates and advisory released.
Comment 12 Thomas Biege 2009-10-13 20:00:54 UTC 
CVE-2004-1016: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)