Linux Kernel FWD-TSN块远程溢出漏洞

2009-01-06T00:00:00
ID SSV:4627
Type seebug
Reporter Root
Modified 2009-01-06T00:00:00

Description

BUGTRAQ ID: 33113

Linux Kernel是开放源码操作系统Linux所使用的内核。

如果Linux接收到了设置有畸形流ID的FWD-TSN块的话,sctp就不会执行有效性检查,这可能导致在覆盖流ID的TSN时出现溢出。

可通过以下代码路径触发这个溢出:

sctp_do_sm -> call sctp_sf_eat_fwd_tsn* -> sctp_side_effects -> sctp_cmd_interpreter -> cmd -> verb(如SCTP_CMD_PROCESS_FWDTSN)

linux-2.6:net/sctp/sm_sideeffect.c:

1079 / This is the side-effect interpreter. / 1080 static int sctp_cmd_interpreter(sctp_event_t event_type, 1081 sctp_subtype_t subtype, 1082 sctp_state_t state, 1083 struct sctp_endpoint ep, 1084 struct sctp_association asoc, 1085 void event_arg, 1086 sctp_disposition_t status, 1087 sctp_cmd_seq_t commands, 1088 gfp_t gfp) 1089 { [...] 1112 while (NULL != (cmd = sctp_next_cmd(commands))) { 1113 switch (cmd->verb) { [...] 1170 case SCTP_CMD_PROCESS_FWDTSN: 1171 sctp_cmd_process_fwdtsn(&asoc->ulpq, cmd->obj.ptr);

823 / Process variable FWDTSN chunk information. / 824 static void sctp_cmd_process_fwdtsn(struct sctp_ulpq ulpq, 825 struct sctp_chunk chunk) 826 {
827 struct sctp_fwdtsn_skip skip; 828 / Walk through all the skipped SSNs */ 829 sctp_walk_fwdtsn(skip, chunk) { 830 sctp_ulpq_skip(ulpq, ntohs(skip->stream), ntohs(skip->ssn));

linux-2.6:net/sctp/ulpqueue.c:

936 / Skip over an SSN. This is used during the processing of 937 * Forwared TSN chunk to skip over the abandoned ordered data 938 / 939 void sctp_ulpq_skip(struct sctp_ulpq ulpq, __u16 sid, __u16 ssn) 940 { 941 struct sctp_stream in; 942 943 / Note: The stream ID must be verified before this routine. / 944 in = &ulpq->asoc->ssnmap->in; 945 946 / Is this an old SSN? If so ignore. / 947 if (SSN_lt(ssn, sctp_ssn_peek(in, sid))) 948 return; 949 950 / Mark that we are no longer expecting this SSN or lower. / 951 sctp_ssn_skip(in, sid, ssn);

linux-2.6:include/net/sctp/structs.h:

514 / Skip over this ssn and all below. / 515 static inline void sctp_ssn_skip(struct sctp_stream *stream, __u16 id, 516 __u16 ssn) 517 { 518 stream->ssn[id] = ssn+1;

Linux kernel 2.6.x 厂商补丁:

Linux

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

<a href=http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9fcb95a105758b81ef0131cd18e2db5149f13e95 target=_blank rel=external nofollow>http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9fcb95a105758b81ef0131cd18e2db5149f13e95</a>