verify size of a new chunk in _sctp_make_chunk() in kernel-net-sctp CVE-2018-5803

Tracked by Jolla

asked 2018-06-25 10:09:46 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2018-06-25 10:09:46 +0300

lpr gravatar image

In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the "_sctp_make_chunk()" function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash.

Patch for kernel 3.2 is available.

Files affected: kernel-adaptation-sbj-3.4.108.20171107.1/net/sctp/sm_make_chunk.c lines 1324-1344

so the patch should look like this:

@@ -1324,10 +1324,14 @@ struct sctp_chunk *sctp_make_chunk(const struct sctp_association *asoc,
sctp_chunkhdr_t *chunk_hdr;
struct sk_buff *skb;
struct sock *sk;
+   int chunklen;
+
+   chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen);
+   if (chunklen > SCTP_MAX_CHUNK_LEN)
+       goto nodata;

/* No need to allocate LL here, as this is only a chunk. */
-   skb = alloc_skb(WORD_ROUND(sizeof(sctp_chunkhdr_t) + paylen),
-           GFP_ATOMIC);
+   skb = alloc_skb(chunklen, GFP_ATOMIC);
if (!skb)
    goto nodata;
edit retag flag offensive close delete