lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <47B14FD9.1080106@isec.pl>
Date: Tue, 12 Feb 2008 08:50:49 +0100
From: Wojciech Purczynski <cliph@...c.pl>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, 
	vulnwatch@...nwatch.org
Subject: CSA-L03: Linux kernel vmsplice unchecked
	user-pointer dereference

===[ ABSTRACT ]=========================================================

A new vmsplice() system call was introduced in the 2.6.17 release of the
Linux kernel. In the 2.6.23 kernel the system call functionality has
been further extended resulting in two new critical vulnerabilities.


===[ AFFECTED SOFTWARE ]================================================

Linux 2.6.23 - 2.6.24

For the exact kernel version please refer to an information provided by
your vendor.


===[ DESCRIPTION ]======================================================

VULNERABILITY #1

Inappropriate dereference of user-supplied memory pointers in the
code beginning at line 1378 in the vmsplice_to_user() kernel
function (fs/splice.c):

---8<--- fs/splice.c:1378 ---8<---
	error = get_user(base, &iov->iov_base);
	/* ... */
	if (unlikely(!base)) {
		error = -EFAULT;
		break;
	}
	/* ... */
	sd.u.userptr = base;
	/* ... */
	size = __splice_from_pipe(pipe, &sd, pipe_to_user);
---8<--- fs/splice.c:1401 ---8<---

The code lacks validation of these pointers (i.e. with access_ok()).
The __splice_from_pipe() assumes these are valid user-memory pointers
and never makes any verification of them. The function dereferences the
pointers with __copy_to_user_inatomic() function (in pipe_to_user()) in
order to write data to user-process memory in this case leading to
possibility of arbitrary data (read from pipe) to arbitrary kernel
memory.


VULNERABILITY #2

The copy_from_user_mmap_sem() function copies data from user-process
memory with the use of __copy_from_user_inatomic() without validating
user-supplied pointer with access_ok():

---8<--- fs/splice.c:1188 ---8<---
         partial = __copy_from_user_inatomic(dst, src, n);
---8<--- fs/splice.c:1188 ---8<---

This vulnerability leads to indirect reading of arbitrary kernel memory.


===[ IMPACT ]===========================================================

Vulnerabilities may lead to local system compromise including execution
of arbitrary machine code in the context of running kernel.

Vulnerability #1 has been successfully exploited on Linux 2.6.24.
Vulnerability #2 not tested.


===[ DISCLOSURE TIMELINE ]==============================================

1st Feb 2008	Vendor notification
8th Feb 2008	Public disclosure


===[ AUTHOR ]===========================================================

Wojciech Purczynski <cliph@...earch.coseinc.com>

Wojciech Purczynski is a Security Researcher at Vulnerability Research
Labs, COSEINC PTE Ltd.
http://coseinc.com

Wojciech Purczynski is also a member of iSEC Security Research
http://isec.pl/


===[ LEGAL DISCLAIMER ]=================================================

Copyright (c) 2008 Wojciech Purczynski
Copyright (c) 2008 COSEINC PTE Ltd.

All Rights Reserved.

PUBLISHING, DISTRIBUTING, PRINTING, COPYING, SCANNING, DUPLICATING IN
ANY FORM, MODIFYING WITHOUT PRIOR WRITTEN PERMISSION IS STRICTLY
PROHIBITED.

THE DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. THE
CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE
LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES,
LOSSES OR UNLAWFUL OFFENCES.

USE AT YOUR OWN RISK.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ