lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20200413082405.70164089@hermes.lan>
Date:   Mon, 13 Apr 2020 08:24:05 -0700
From:   Stephen Hemminger <stephen@...workplumber.org>
To:     netdev@...r.kernel.org
Subject: Fw: [Bug 207225] New: Malformed headroom in umem request of XDP
 socket could lead to out of bound write



Begin forwarded message:

Date: Mon, 13 Apr 2020 14:27:36 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: stephen@...workplumber.org
Subject: [Bug 207225] New: Malformed headroom in umem request of XDP socket could lead to out of bound write


https://bugzilla.kernel.org/show_bug.cgi?id=207225

            Bug ID: 207225
           Summary: Malformed headroom in umem request of XDP socket could
                    lead to out of bound write
           Product: Networking
           Version: 2.5
    Kernel Version: 5.5.11, 5.5.17, 5.7-rc1
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: low
          Priority: P1
         Component: Other
          Assignee: stephen@...workplumber.org
          Reporter: minhquangbui99@...il.com
        Regression: No

Created attachment 288417
  --> https://bugzilla.kernel.org/attachment.cgi?id=288417&action=edit  
POC registers malformed headroom in umem registration

- When user calls setsockopt to register umem ring on XDP socket, the headroom
can be a big unsigned 32 bit number, which leads to
   + This check in xdp_umem_reg function (net/xdp/xdp_umem.c) is bypassed
   size_chk = chunk_size - headroom - XDP_PACKET_HEADROOM;
   if (size_chk < 0)
        return -EINVAL;
   + This initialization in the same function, the chunk_size_nohr becomes
larger than actual size
   umem->chunk_size_nohr = chunk_size - headroom; 

- Consequence: I see that the chunk_size_nohr is used to check that the
xdp_buff can fit into the chunk in xsk receive functions; with this malformed
chunk_size_nohr, we can put a larger than chunk size xdp_buff to chunk, leads
to an out of bound write. However, I research some more and find that to
trigger to receive functions, we must redirect the packets from XDP program
using xskmap which requires CAP_NET_ADMIN capability, which makes this very low
impact.

- Unfortunately, I cannot trigger xsk receive functions (I am new to Linux
kernel) due to some error when binding XDP program to an interface. I can only
prove the register side, the initialization of chunk_size_nohr via debugging. I
attached the POC of malformed headroom umem register below, which I tested on
kernel 5.5.11. The POC needs to be run with root privilege (or a user with
CAP_NET_RAW, this could be achieve with new user namespace on kernel with
CONFIG_USER_NS=y, however, as far as I know, next phases when allocate xskmap,
CAP_NET_ADMIN is required and user namespace is not permitted).

Thank you very much for reviewing this report

-- 
You are receiving this mail because:
You are the assignee for the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ