lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 20 Aug 2021 04:06:21 +0800
From:   butt3rflyh4ck <butterflyhuangxx@...il.com>
To:     Pavel Skripkin <paskripkin@...il.com>
Cc:     Jakub Kicinski <kuba@...nel.org>,
        Manivannan Sadhasivam <mani@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        linux-arm-msm@...r.kernel.org, netdev@...r.kernel.org,
        LKML <linux-kernel@...r.kernel.org>,
        butt3rflyh4ck <butterflyhhuangxx@...il.com>,
        bjorn.andersson@...aro.org
Subject: Re: [PATCH] net: qrtr: fix another OOB Read in qrtr_endpoint_post

Yes, this bug can be triggered without your change. The reason why I
point to your commit is to make it easier for everyone to understand
this bug.

Regards,
 Xiaolong Huang (butt3rflyh4ck)

On Fri, Aug 20, 2021 at 3:53 AM Pavel Skripkin <paskripkin@...il.com> wrote:
>
> On 8/19/21 10:16 PM, Jakub Kicinski wrote:
> > On Fri, 20 Aug 2021 02:14:58 +0800 butt3rflyh4ck wrote:
> >> From: butt3rflyh4ck <butterflyhhuangxx@...il.com>
> >>
> >> This check was incomplete, did not consider size is 0:
> >>
> >>      if (len != ALIGN(size, 4) + hdrlen)
> >>                     goto err;
> >>
> >> if size from qrtr_hdr is 0, the result of ALIGN(size, 4)
> >> will be 0, In case of len == hdrlen and size == 0
> >> in header this check won't fail and
> >>
> >>      if (cb->type == QRTR_TYPE_NEW_SERVER) {
> >>                 /* Remote node endpoint can bridge other distant nodes */
> >>                 const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
> >>
> >>                 qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
> >>         }
> >>
> >> will also read out of bound from data, which is hdrlen allocated block.
> >>
> >> Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
> >> Fixes: ad9d24c9429e ("net: qrtr: fix OOB Read in qrtr_endpoint_post")
> >
> > Please make sure to CC authors of patches which are under Fixes, they
> > are usually the best people to review the patch. Adding them now.
> >
> >> Signed-off-by: butt3rflyh4ck <butterflyhhuangxx@...il.com>
> >
> > We'll need your name. AFAIU it's because of Developer Certificate of
> > Origin. You'll need to resend with this fixed (and please remember the CCs).
> >
> >> diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
> >> index 171b7f3be6ef..0c30908628ba 100644
> >> --- a/net/qrtr/qrtr.c
> >> +++ b/net/qrtr/qrtr.c
> >> @@ -493,7 +493,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
> >>              goto err;
> >>      }
> >>
> >> -    if (len != ALIGN(size, 4) + hdrlen)
> >> +    if (!size || len != ALIGN(size, 4) + hdrlen)
> >>              goto err;
> >>
> >>      if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA &&
> >
>
> I am able to trigger described bug with this repro:
>
> #define _GNU_SOURCE
>
> #include <endian.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <unistd.h>
>
> uint64_t r[1] = {0xffffffffffffffff};
>
> int main(void)
> {
>     syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
>     syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
>     syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
>     intptr_t res = 0;
>     memcpy((void*)0x20000000, "/dev/qrtr-tun\000", 14);
>     res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000000ul,
> 0x82ul, 0);
>     if (res != -1)
>       r[0] = res;
>     memcpy((void*)0x20000000,
> "\x01\x21\x21\x39\x04\x00\x00\x00\xd6\x2c\xf3\x50"
>
> "\x1a\x47\x56\x52\x19\x56\x86\xef\x00\x00\x00\x00"
>                               "\xff\xff\xff\x00\xfe\xff\xff\xff", 32);
>     syscall(__NR_write, r[0], 0x20000000ul, 0x20ul);
>     return 0;
> }
>
> ( I didn't write it, it's modified syzbot's repro :) )
>
> One thing I am wondering about is why Fixes tag points to my commit? My
> commit didn't introduce any bugs, this bug will happen even _without_ my
> change.
>
> Anyway, LGTM!
>
> Reviewed-by: Pavel Skripkin <paskripkin@...il.com>
>
>
>
>
> With regards,
> Pavel Skripkin



-- 
Active Defense Lab of Venustech

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ