lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20231007064121.GY20998@1wt.eu>
Date: Sat, 7 Oct 2023 08:41:21 +0200
From: Willy Tarreau <w@....eu>
To: netdev@...r.kernel.org
Cc: rootlab@...wei.com
Subject: Fwd: Race Condition Vulnerability in aarp_rcv of nfc module leading
 to UAF

Hello,

Sili Luo of Huawei sent this to the security list. Eric and I think it
does not deserve special handling from the security team and will be
better addressed here.

Regards,
Willy

PS: actually there were 8, not 6 reports for atalk in this series.

----- Forwarded message from rootlab <rootlab@...wei.com> -----

> Date: Sat, 7 Oct 2023 03:12:17 +0000
> From: rootlab <rootlab@...wei.com>
> Subject: Race Condition Vulnerability in aarp_rcv of nfc module leading to UAF
> To: "security@...nel.org" <security@...nel.org>
> Delivered-To: security@...nel.org
> 
> the document format is markdown.
> 
> I recently found an race condition Vulnerability in the aarp_rcv, which leads to the kernel access free'd atalk\_iface object.
> 
> The vulnerability code presented below is located in Linux 6.5-rc5, and it is possible that other versions may also be affected.
> 
> [Root Cause]
> 
> key code of aarp_rcv:
> 
>   *   aarp_rcv
> 
>      *   struct atalk_iface *ifa = atalk_find_dev(dev)
> 
>         *   return dev->atalk_ptr;
>      *   use ifa
> 
> vuln: aarp_rcv use ifa without lock.
> 
> steps to trigger bug:
> 
>   1.  let thread A is executed in the middle of 1 and 2
>   2.  then thread B free iface via ioctl(at_fd, SIOCDIFADDR, &atreq)
>   3.  Then thread A will use the free'd iface.
> 
>                                                   Time
>                                                    +
>                                                    |
> thread A                                           |  thread B
> aarp_rcv                                           |  ioctl --> atalk_dev_down
>                                                    |
>                                                    |
>   1.ifa = atalk_find_dev(dev)                      |
>                                                    |
>                                                    |
>                                                    |     2.atif_drop_device(dev)  --> free ifa
>                                                    |
>                                                    |
>     // UAF!                                        |
>   3.use ifa                                        |
>                                                    +
> 
> 
> [Patch Suggestion]
> 
>   1.  add refcount for struct atalk_addr
>   2.  Use the right lock
> 
> [Proof-of-Concept]
> 
> No poc yet
> 
> [CREDIT]
> 
> Sili Luo
> RO0T Lab of Huawei
> 

----- End forwarded message -----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ