lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ec0288f1-dcf2-62a4-4d12-7dcdac2ccb9b@alphakevin.club>
Date: Tue, 15 Jun 2021 12:00:08 +0200
From: RaziREKT via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: Re: [FD] popo/popo2 linux kernel vulns

Hello KJ Jung,

neither of the mails you sent contain bugs.
The kernel code is sound and the vulnerabilities you reported don't seem 
to exist.

In your first mail (popo:: linux kernel vulns of it),
you point out a flaw in bond_do_ioctl() and bond_set_dev_addr().

>              // [4]:: x90: Trigger point: slave_dev->dev_addr,
> slave_dev->addr_len two variables controlled by user in memcpy
>                       API.
>   622        memcpy(bond_dev->dev_addr, slave_dev->dev_addr,
> slave_dev->addr_len);

It is impossible to set slave_dev->dev_addr to arbitrary values userspace.
The value will be chosen from a handful of fixed hardware address lengths.
None will exceed the length of the buffer that bond_dev->dev_addr points to,
which is always 32 (include/linux/netdevice.h MAX_ADDR_LEN).

In your second email, you report a vulnerability in tun_chr_ioctl()

> __tun_chr_ioctl function of ~/drivers/net/tun.c has a stack buffer
> overflow vulnerability. it get's arg, ifreq_len, and copy the arg(argp)
> to ifr(ifreq struct) and this steps are no bounds-checking.
> ...
> --
> 3352static long tun_chr_ioctl(struct file *file,
> 3353                          unsigned int cmd, unsigned long arg)
> 3354{
> 3355        return __tun_chr_ioctl(file, cmd, arg, sizeof (struct ifreq));
> 3356}
As you can clearly see, ifreq_len is set to the actual size of struct 
ifreq here.
>                      // x90:: vulnerable point::
> 3044                if (copy_from_user(&ifr, argp, ifreq_len)) // bug.
Which means that this piece of code is not exploitable.
There is no way to set ifreq_len from userspace.

Please refrain from sending invalid bug reports.

Regards,
RaziREKT


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ