Bugzilla – Bug 65857
VUL-0: CVE-2005-0384: kernel: remote DoS in PPP code
Last modified: 2021-11-02 16:07:14 UTC
Hi, from vendor-sec (not public) From: Martin Schulze <joey@infodrom.org> To: Free Software Distribution Vendors <vendor-sec@lst.de> Cc: Marcelo Tosatti <marcelo.tosatti@cyclades.com> User-Agent: Mutt/1.5.6+20040907i Subject: [vendor-sec] CAN-2005-0384: Remote Linux DoS on ppp servers Errors-To: vendor-sec-admin@lst.de Date: Tue, 15 Feb 2005 09:16:26 +0100 Ben Martel and Stephen Blackheath have discovered a denial-of-service attack that a client of pppd can make that can hang the server machine. The bug is in the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists in the 2.4 series. The attached test case (which works on Debian) demonstrates the problem, and gives some explanation, as well as a suggested patch. Run it in the following way as any user that is capable of running pppd: ~ g++ -o kernel-dos kernel-dos.cpp ~ ./kernel-dos ** This will hang the kernel. ** kernel-dos spawns /usr/bin/pppd and sends it a ppp packet crafted to trigger the kernel bug. The same problem also exists in Linux 2.4. Marcelo, what do you think about the proposed patch? Regards, Joey --
<!-- SBZ_reproduce --> code attached
There's no code attached to this report :)
Created attachment 28503 [details] kernel-ppp-dos.cpp test code
Created attachment 28504 [details] kernel-ppp-dos.diff
This is the first two-line patch with a copyright notice I've seen :-) It fixes the problem; but while they were at it they might as well have made sure the len is always correct. Slightly improved patch attached.
Created attachment 28505 [details] Proposed patch
From: Paul Mackerras <paulus@au1.ibm.com> To: Martin Schulze <joey@infodrom.org> Cc: Free Software Distribution Vendors <vendor-sec@lst.de>, Marcelo Tosatti <marcelo.tosatti@cyclades.com> Subject: Re: [vendor-sec] CAN-2005-0384: Remote Linux DoS on ppp servers Errors-To: vendor-sec-admin@lst.de Date: Fri, 25 Feb 2005 13:48:50 +1100 Martin Schulze writes: > Ben Martel and Stephen Blackheath have discovered a denial-of-service attack that a > client of pppd can make that can hang the server machine. The bug is in > the Linux kernel 2.6 (tested on 2.6.9), but it looks like it also exists > in the 2.4 series. Yes, this is my bug. :( > The same problem also exists in Linux 2.4. > > Marcelo, what do you think about the proposed patch? I would just do this instead: diff -urN linux-2.5/drivers/net/ppp_async.c test/drivers/net/ppp_async.c --- linux-2.5/drivers/net/ppp_async.c 2005-01-21 16:02:12.000000000 +1100 +++ test/drivers/net/ppp_async.c 2005-02-25 10:38:05.000000000 +1100 @@ -1000,7 +1000,7 @@ data += 4; dlen -= 4; /* data[0] is code, data[1] is length */ - while (dlen >= 2 && dlen >= data[1]) { + while (dlen >= 2 && dlen >= data[1] && data[1] >= 2) { switch (data[0]) { case LCP_MRU: val = (data[2] << 8) + data[3]; Is there any embargo on this issue? I would like to get this fix into 2.6.11, which will be released RSN. Paul. _______________________________________________
[...] Hmm, ok. > Is there any embargo on this issue? I would like to get this fix into > 2.6.11, which will be released RSN. I'd go March 14/15/16th if possible. Regards, Joey --
added karsten
Ok, fix is only in the 2.4 trees so far (because it was needed for SLES8 SP4). Will commit to the 2.6 trees on monday, when the issue becomes public.
becomes public on 15.3.2005
surface for qa
Fix is in all trees now.
for tracking
updates and advisory released
CVE-2005-0384: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)