Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 16 Mar 2016 03:00:00 +0000
From: Justin Yackoski <jyackoski@...pto-nite.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-2117 memory disclosure to ethernet due to unchecked
 scatter/gather IO

CVE-2016-2117 memory disclosure to ethernet due to unchecked scatter/gather IO


Affects:

In-tree Linux ethernet drivers:

atheros/atlx/atl2.c  confirmed in versions 3.8 thru 4.5 (possibly earlier)

* see description for more details on other potential less severe impacts


Description:

When scatter/gather IO is enabled (NETIF_F_SG), the ethernet driver may be passed a

list of buffers containing the packet to be sent, rather than a single contiguous buffer

in order to improve performance.  If a driver claims to support scatter/gather but does

a simple memcpy, dma_map_single, or similar call from skb->data to skb->len the result

is that the outgoing packet will be sent containing the first full fragment followed by

whatever kernel memory was at the end of that first fragment.  This data is likely to be

other data from other skb's, but other sensitive data has been seen.  If hardware

checksumming is enabled, the resulting ethernet frame will be valid other than containing

the disclosed memory.


This bug is remotely exploitable in the atl2 driver whenever scatter/gather IO is triggered,

which can be done in some common applications (pcap samples available upon request).


Note that this bug was originally found in an out of tree driver (CVE-2016-2553), and may

go unnoticed in similar drivers until the right conditions for scatter/gather IO are hit.


Apart from the atl2 driver that can be remotely exploited, other in-tree drivers are not

remotely exploitable but a local privileged user with access to kernel runtime memory

may be able to cause a driver that does not check for skb fragments to start to behave

improperly.


Mitigation:

1) If using atl2 driver run the following at each boot (not confirmed due to lack of hardware

          availability):

    ethtool -K <ethX> sg off

2) Other drivers that don't expect scatter/gather, ensure appropriate local permissions.


Recommended fixes:

1) remove NETIF_F_SG from atl2.c

2) if an ethernet driver does not handle scatter/gather, consider a run-time check for

     fragments in the ndo_start_xmit handler rather than a compile time-assumption for maximum

     security.


Patches:

None available currently, although in atl2 simply remove the NETIF_F_SG identifier from the

hw_features of the net device structure.


Credits:

Justin Yackoski @ Cryptonite


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ