Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 30 Nov 2016 11:50:44 -0500 (EST)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-8645: linux kernel: net: a BUG() statement can be hit
 in net/ipv4/tcp_input.c

Hello,

A further investigation was made to find out the Linux kernel commit which has
introduced the flaw. It appeared that previous Linux kernel versions are vulnerable,
down to v3.6-rc1. This fact was hidden by 'net.ipv4.tcp_fastopen' set to 0 by default,
and now it is easier to notice since kernel v3.12 due to commit 0d41cca490 where the
default was changed to 1. With 'net.ipv4.tcp_fastopen' set to 1, previous Linux
kernels including RHEL-7 ones are also vulnerable (see [0] below).

The bug is here since tcp-fastopen feature was introduced in kernel v3.6-rc1, the first
commit when the reproducer starts to panic the kernel with net.ipv4.tcp_fastopen=1 is
cf60af03ca, which is a part of commit serie 2100c8d2d9..67da22d23f introducing
net-tcp-fastopen feature:

$ git bisect bad cf60af03ca4e71134206809ea892e49b92a88896
cf60af03ca4e71134206809ea892e49b92a88896 is the first bad commit
commit cf60af03ca4e71134206809ea892e49b92a88896
Author: Yuchung Cheng <ycheng@...gle.com>
Date:   Thu Jul 19 06:43:09 2012 +0000

So, formally, the Linux kernel upstream commit ac6e780070 fixing the bug should have
"Fixes: cf60af03ca" statement, unfortunately, this investigation was not completed at
the time the patch was accepted upstream.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

=== [0] =====

$ uname -r
3.10.0-123.el7.x86_64

$ sysctl net.ipv4.tcp_fastopen
net.ipv4.tcp_fastopen = 1

$ ./poc
[   67.356749] ------------[ cut here ]------------
[   67.357016] kernel BUG at net/ipv4/tcp_input.c:4563!
[   67.357016] invalid opcode: 0000 [#1] SMP 
[   67.357016] CPU: 2 PID: 1317 Comm: poc Not tainted 3.10.0-123.el7.x86_64 #1
[   67.357016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014
[   67.357016] task: ffff880135cc4440 ti: ffff8800b8552000 task.ti: ffff8800b8552000
[   67.357016] RIP: 0010:[<ffffffff8151f493>]  [<ffffffff8151f493>] tcp_collapse+0x433/0x440
[   67.357016] RSP: 0018:ffff8800b8553a20  EFLAGS: 00010282
[   67.357016] RAX: 00000000fffffff2 RBX: ffff880135d550f8 RCX: 0000000000000db0
[   67.357016] RDX: ffff8800b84cb110 RSI: 0000000000000000 RDI: ffff880135d550f8
[   67.357016] RBP: ffff8800b8553a70 R08: 0000000000000ec0 R09: 0000000000000db0
[   67.357016] R10: ffff8800b140be00 R11: 0000000000000000 R12: 00000000606804a0
[   67.357016] R13: ffff8800b16e0090 R14: 0000000000000000 R15: 0000000000000db0
[   67.357016] FS:  00007fd1e51a6800(0000) GS:ffff88013fc80000(0000) knlGS:0000000000000000
[   67.357016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   67.357016] CR2: 000000002002a000 CR3: 00000000b14fd000 CR4: 00000000001406e0
[   67.357016] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   67.357016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   67.357016] Stack:
[   67.357016]  606814a000000004 ffff8800b16e0000 ffff8800b140be00 ffffffff00000db0
[   67.357016]  ffff880000000000 ffff8800b16e0680 0000000000000900 ffff880135d55af8
[   67.357016]  ffff8800b16e0000 ffff8800b16e0680 ffff8800b8553aa8 ffffffff8151f66b
[   67.357016] Call Trace:
[   67.357016]  [<ffffffff8151f66b>] tcp_try_rmem_schedule+0x1cb/0x410
[   67.357016]  [<ffffffff8151fe41>] tcp_data_queue+0x291/0xcf0
[   67.357016]  [<ffffffff81523014>] tcp_rcv_established+0x1e4/0x8d0
[   67.357016]  [<ffffffff815a11a6>] tcp_v6_do_rcv+0x2e6/0x6b0
[   67.357016]  [<ffffffff81525f8a>] ? tcp_schedule_loss_probe+0x13a/0x1d0
[   67.357016]  [<ffffffff81526c95>] ? tcp_write_xmit+0x215/0xb80
[   67.357016]  [<ffffffff814c0b11>] ? __alloc_skb+0xa1/0x2d0
[   67.357016]  [<ffffffff814bbfd1>] release_sock+0xa1/0x170
[   67.357016]  [<ffffffff81518652>] tcp_sendmsg+0x132/0xdb0
[   67.357016]  [<ffffffff81542a24>] inet_sendmsg+0x64/0xb0
[   67.357016]  [<ffffffff814b79b0>] sock_sendmsg+0xb0/0xf0
[   67.357016]  [<ffffffff8114fd1e>] ? lru_cache_add+0xe/0x10
[   67.357016]  [<ffffffff81176ad1>] ? page_add_new_anon_rmap+0x91/0x130
[   67.357016]  [<ffffffff814b7f21>] SYSC_sendto+0x121/0x1c0
[   67.357016]  [<ffffffff815ed58a>] ? do_page_fault+0x1a/0x70
[   67.357016]  [<ffffffff814b89ae>] SyS_sendto+0xe/0x10
[   67.357016]  [<ffffffff815f2119>] system_call_fastpath+0x16/0x1b
[   67.357016] Code: 00 48 89 42 08 48 89 10 e8 cb 1c fa ff 48 8b 45 b8 48 8b 40 30
48 8b 80 30 01 00 00 65 48 ff 80 b0 01 00 00 e9 af fc ff ff 0f 0b <0f> 0b 66 66 2e
0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 
[   67.357016] RIP  [<ffffffff8151f493>] tcp_collapse+0x433/0x440
[   67.357016]  RSP <ffff8800b8553a20>
[   67.390450] ---[ end trace c5a1da3f9a89016e ]---
[   67.390741] Kernel panic - not syncing: Fatal exception in interrupt

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.