TCP/IP option data aligement issue cause system broken

1      Problem Description

The field reports show that xxx panel will lockup and then reboot while doing security port scan by nmap.

2      Root Cause

After analysis, this problem happens at all panel versions, standalone/networking panel, and happens at other scanning tools (e.g. Tenable Nessus).

The investigation shows that, the problem was caused by unaligned data access during TCP timestamps option parsing in Linux kernel. The reason can be summarized below:

1)    The ARMv5 or earlier MCU (likes xxx MCU S3C44B0X ARM7TDMI is belong to ARMv4T), who had limited abilities to access memory that was not aligned on a word (four byte) boundary. According to S3C44B0 datasheet (see page 89 Address Alignment), the MCU is going to ABORT mode which cause the system crash.

2)    In Linux TCP option parsing, the handling did not consider the data unaligned in timestamp option, but TCP options are not guaranteed to be aligned at all.

According to the Linux debug output information when TCP package with timestamps options: The timestamps hold address (register: R8) is 0x0DB074E2, which is not multiple 4(word), the Linux kernel error information is: Unhandled fault: alignment exception (13).

1)    TCP package by nmap

2)    Linux debug output

 

3      Solution

The solution is get word value byte one byte when the address is unaligned, which is come from official Linux kernel patch (see appendix). The change is only applied for TCP/IP option parsing and without side effect. The solution had been successfully verified by prototype.

4      Appendix

The patch is come from Linux official, the link is https://archive.org/details/git-history-of-linux.