lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAFcO6XOGjHzys4GywczXyePiPcEXw7P=gBPwYU5nv0f-a=eFig@mail.gmail.com>
Date:   Wed, 18 Aug 2021 15:33:38 +0800
From:   butt3rflyh4ck <butterflyhuangxx@...il.com>
To:     mani@...nel.org, "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>
Cc:     linux-arm-msm@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

Here I make a patch for this issue.

Regards,
 butt3rflyh4ck.
On Tue, Aug 17, 2021 at 7:52 PM butt3rflyh4ck
<butterflyhuangxx@...il.com> wrote:
>
> Hi, there is another out-of-bound read in qrtr_endpoint_post in
> net/qrtr/qrtr.c in 5.14.0-rc6+ and reproduced.
>
> #analyze
> In qrtr_endpoint_post, it would post incoming data from the user, the
> ‘len’ is the size of data, the problem is in 'size'.
> ```
> case QRTR_PROTO_VER_1:
> if (len < sizeof(*v1))   // just  judge len < sizeof(*v1)
> goto err;
> v1 = data;
> hdrlen = sizeof(*v1);
> [...]
> size = le32_to_cpu(v1->size);
> break;
> ```
> If the version of qrtr proto  is QRTR_PROTO_VER_1, hdrlen is
> sizeof(qrtr_hdr_v1) and size is le32_to_cpu(v1->size).
> ```
> if (len < sizeof(*v2))  // just judge len < sizeof(*v2)
> goto err;
> v2 = data;
> hdrlen = sizeof(*v2) + v2->optlen;
> [...]
> size = le32_to_cpu(v2->size);
> break;
> ```
> if version of qrtr proto is QRTR_PROTO_VER_2, hdrlen is
> sizeof(qrtr_hdr_v2) and size is le32_to_cpu(v2->size).
>
> the code as below can be bypassed.
> ```
> if (len != ALIGN(size, 4) + hdrlen)
> goto err;
> ```
> if we set size zero and  make 'len' equal to 'hdrlen', the judgement
> is bypassed.
>
> ```
> if (cb->type == QRTR_TYPE_NEW_SERVER) {
> /* Remote node endpoint can bridge other distant nodes */
> const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
>
> qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); //[1]
> }
> ```
> *pkt = data + hdrlen = data + len, so pkt pointer the end of data.
> [1]le32_to_cpu(pkt->server.node) could read out of bound.
>
> #crash log:
> [ 2436.657182][ T8433]
> ==================================================================
> [ 2436.658615][ T8433] BUG: KASAN: slab-out-of-bounds in
> qrtr_endpoint_post+0x478/0x5b0
> [ 2436.659971][ T8433] Read of size 4 at addr ffff88800ef30a2c by task
> qrtr_endpoint_p/8433
> [ 2436.661476][ T8433]
> [ 2436.661964][ T8433] CPU: 1 PID: 8433 Comm: qrtr_endpoint_p Not
> tainted 5.14.0-rc6+ #7
> [ 2436.663431][ T8433] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
> [ 2436.665220][ T8433] Call Trace:
> [ 2436.665870][ T8433]  dump_stack_lvl+0x57/0x7d
> [ 2436.666748][ T8433]  print_address_description.constprop.0.cold+0x93/0x334
> [ 2436.668054][ T8433]  ? qrtr_endpoint_post+0x478/0x5b0
> [ 2436.669072][ T8433]  ? qrtr_endpoint_post+0x478/0x5b0
> [ 2436.669957][ T8433]  kasan_report.cold+0x83/0xdf
> [ 2436.670833][ T8433]  ? qrtr_endpoint_post+0x478/0x5b0
> [ 2436.671780][ T8433]  kasan_check_range+0x14e/0x1b0
> [ 2436.672707][ T8433]  qrtr_endpoint_post+0x478/0x5b0
> [ 2436.673646][ T8433]  qrtr_tun_write_iter+0x8b/0xe0
> [ 2436.674587][ T8433]  new_sync_write+0x245/0x360
> [ 2436.675462][ T8433]  ? new_sync_read+0x350/0x350
> [ 2436.676353][ T8433]  ? policy_view_capable+0x3b0/0x6d0
> [ 2436.677266][ T8433]  ? apparmor_task_setrlimit+0x4d0/0x4d0
> [ 2436.678251][ T8433]  vfs_write+0x344/0x4e0
> [ 2436.679024][ T8433]  ksys_write+0xc4/0x160
> [ 2436.679758][ T8433]  ? __ia32_sys_read+0x40/0x40
> [ 2436.680605][ T8433]  ? syscall_enter_from_user_mode+0x21/0x70
> [ 2436.681661][ T8433]  do_syscall_64+0x35/0xb0
> [ 2436.682445][ T8433]  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> #fix suggestion
> 'size' should not be zero, it is length of packet, excluding this
> header or (excluding this header and optlen).
>
>
> Regards,
>  butt3rflyh4ck.
> --
> Active Defense Lab of Venustech



-- 
Active Defense Lab of Venustech

View attachment "0001-net-qrtr-fix-another-OOB-Read-in-qrtr_endpoint_post.patch" of type "text/x-patch" (1543 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ