verify size of a new chunk in _sctp_make_chunk() in kernel-net-sctp CVE-2018-5803
Tracked by Jolla
(Rejected)
asked 2018-06-25 10:09:46 +0200
This post is a wiki. Anyone with karma >75 is welcome to improve it.
In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the "_sctp_make_chunk()" function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash.
Patch for kernel 3.2 is available.
Files affected: kernel-adaptation-sbj-3.4.108.20171107.1/net/sctp/sm_make_chunk.c lines 1324-1344
so the patch should look like this:
@@ -1324,10 +1324,14 @@ struct sctp_chunk *sctp_make_chunk(const struct sctp_association *asoc,
sctp_chunkhdr_t *chunk_hdr;
struct sk_buff *skb;
struct sock *sk;
+ int chunklen;
+
+ chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen);
+ if (chunklen > SCTP_MAX_CHUNK_LEN)
+ goto nodata;
/* No need to allocate LL here, as this is only a chunk. */
- skb = alloc_skb(WORD_ROUND(sizeof(sctp_chunkhdr_t) + paylen),
- GFP_ATOMIC);
+ skb = alloc_skb(chunklen, GFP_ATOMIC);
if (!skb)
goto nodata;