oss-sec mailing list archives
Re: CVE-2016-8645: linux kernel: net: a BUG() statement can be hit in net/ipv4/tcp_input.c
From: Vladis Dronov <vdronov () redhat com>
Date: Wed, 30 Nov 2016 11:50:44 -0500 (EST)
Hello, A further investigation was made to find out the Linux kernel commit which has introduced the flaw. It appeared that previous Linux kernel versions are vulnerable, down to v3.6-rc1. This fact was hidden by 'net.ipv4.tcp_fastopen' set to 0 by default, and now it is easier to notice since kernel v3.12 due to commit 0d41cca490 where the default was changed to 1. With 'net.ipv4.tcp_fastopen' set to 1, previous Linux kernels including RHEL-7 ones are also vulnerable (see [0] below). The bug is here since tcp-fastopen feature was introduced in kernel v3.6-rc1, the first commit when the reproducer starts to panic the kernel with net.ipv4.tcp_fastopen=1 is cf60af03ca, which is a part of commit serie 2100c8d2d9..67da22d23f introducing net-tcp-fastopen feature: $ git bisect bad cf60af03ca4e71134206809ea892e49b92a88896 cf60af03ca4e71134206809ea892e49b92a88896 is the first bad commit commit cf60af03ca4e71134206809ea892e49b92a88896 Author: Yuchung Cheng <ycheng () google com> Date: Thu Jul 19 06:43:09 2012 +0000 So, formally, the Linux kernel upstream commit ac6e780070 fixing the bug should have "Fixes: cf60af03ca" statement, unfortunately, this investigation was not completed at the time the patch was accepted upstream. Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer === [0] ===== $ uname -r 3.10.0-123.el7.x86_64 $ sysctl net.ipv4.tcp_fastopen net.ipv4.tcp_fastopen = 1 $ ./poc [ 67.356749] ------------[ cut here ]------------ [ 67.357016] kernel BUG at net/ipv4/tcp_input.c:4563! [ 67.357016] invalid opcode: 0000 [#1] SMP [ 67.357016] CPU: 2 PID: 1317 Comm: poc Not tainted 3.10.0-123.el7.x86_64 #1 [ 67.357016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014 [ 67.357016] task: ffff880135cc4440 ti: ffff8800b8552000 task.ti: ffff8800b8552000 [ 67.357016] RIP: 0010:[<ffffffff8151f493>] [<ffffffff8151f493>] tcp_collapse+0x433/0x440 [ 67.357016] RSP: 0018:ffff8800b8553a20 EFLAGS: 00010282 [ 67.357016] RAX: 00000000fffffff2 RBX: ffff880135d550f8 RCX: 0000000000000db0 [ 67.357016] RDX: ffff8800b84cb110 RSI: 0000000000000000 RDI: ffff880135d550f8 [ 67.357016] RBP: ffff8800b8553a70 R08: 0000000000000ec0 R09: 0000000000000db0 [ 67.357016] R10: ffff8800b140be00 R11: 0000000000000000 R12: 00000000606804a0 [ 67.357016] R13: ffff8800b16e0090 R14: 0000000000000000 R15: 0000000000000db0 [ 67.357016] FS: 00007fd1e51a6800(0000) GS:ffff88013fc80000(0000) knlGS:0000000000000000 [ 67.357016] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 67.357016] CR2: 000000002002a000 CR3: 00000000b14fd000 CR4: 00000000001406e0 [ 67.357016] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 67.357016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 67.357016] Stack: [ 67.357016] 606814a000000004 ffff8800b16e0000 ffff8800b140be00 ffffffff00000db0 [ 67.357016] ffff880000000000 ffff8800b16e0680 0000000000000900 ffff880135d55af8 [ 67.357016] ffff8800b16e0000 ffff8800b16e0680 ffff8800b8553aa8 ffffffff8151f66b [ 67.357016] Call Trace: [ 67.357016] [<ffffffff8151f66b>] tcp_try_rmem_schedule+0x1cb/0x410 [ 67.357016] [<ffffffff8151fe41>] tcp_data_queue+0x291/0xcf0 [ 67.357016] [<ffffffff81523014>] tcp_rcv_established+0x1e4/0x8d0 [ 67.357016] [<ffffffff815a11a6>] tcp_v6_do_rcv+0x2e6/0x6b0 [ 67.357016] [<ffffffff81525f8a>] ? tcp_schedule_loss_probe+0x13a/0x1d0 [ 67.357016] [<ffffffff81526c95>] ? tcp_write_xmit+0x215/0xb80 [ 67.357016] [<ffffffff814c0b11>] ? __alloc_skb+0xa1/0x2d0 [ 67.357016] [<ffffffff814bbfd1>] release_sock+0xa1/0x170 [ 67.357016] [<ffffffff81518652>] tcp_sendmsg+0x132/0xdb0 [ 67.357016] [<ffffffff81542a24>] inet_sendmsg+0x64/0xb0 [ 67.357016] [<ffffffff814b79b0>] sock_sendmsg+0xb0/0xf0 [ 67.357016] [<ffffffff8114fd1e>] ? lru_cache_add+0xe/0x10 [ 67.357016] [<ffffffff81176ad1>] ? page_add_new_anon_rmap+0x91/0x130 [ 67.357016] [<ffffffff814b7f21>] SYSC_sendto+0x121/0x1c0 [ 67.357016] [<ffffffff815ed58a>] ? do_page_fault+0x1a/0x70 [ 67.357016] [<ffffffff814b89ae>] SyS_sendto+0xe/0x10 [ 67.357016] [<ffffffff815f2119>] system_call_fastpath+0x16/0x1b [ 67.357016] Code: 00 48 89 42 08 48 89 10 e8 cb 1c fa ff 48 8b 45 b8 48 8b 40 30 48 8b 80 30 01 00 00 65 48 ff 80 b0 01 00 00 e9 af fc ff ff 0f 0b <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 [ 67.357016] RIP [<ffffffff8151f493>] tcp_collapse+0x433/0x440 [ 67.357016] RSP <ffff8800b8553a20> [ 67.390450] ---[ end trace c5a1da3f9a89016e ]--- [ 67.390741] Kernel panic - not syncing: Fatal exception in interrupt
Current thread:
- CVE-2016-8645: linux kernel: net: a BUG() statement can be hit in net/ipv4/tcp_input.c Vladis Dronov (Nov 11)
- Re: CVE-2016-8645: linux kernel: net: a BUG() statement can be hit in net/ipv4/tcp_input.c Vladis Dronov (Nov 11)
- Re: CVE-2016-8645: linux kernel: net: a BUG() statement can be hit in net/ipv4/tcp_input.c Vladis Dronov (Nov 16)
- Re: CVE-2016-8645: linux kernel: net: a BUG() statement can be hit in net/ipv4/tcp_input.c Vladis Dronov (Nov 30)
- Re: CVE-2016-8645: linux kernel: net: a BUG() statement can be hit in net/ipv4/tcp_input.c Vladis Dronov (Nov 16)
- Re: CVE-2016-8645: linux kernel: net: a BUG() statement can be hit in net/ipv4/tcp_input.c Vladis Dronov (Nov 11)