Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 31 Jul 2016 15:25:20 -0600
From: Scott Bauer <sbauer@...donthack.me>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Linux >= 4.5 double fetch leading to heap overflow

Good afternoon,

For Mitre:

Some code was moved from btrfs to the generic vfs ioctl:
(https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/fs/ioctl.c?h=v4.5&id=54dbc15172375641ef03399e8f911d7165eb90fb).

During the port a double fetch with userland was introduced which can lead to an undersized allocation and subsequent heap overflow
with potentially controlled data. It has been patched in upstream here:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=10eec60ce79187686e052092e5383c99b4420a20


For OSS-sec:

attached is a PoC. I attempted to write an exploit for this but that's not really my forte. I feel like this bug
has the potential for a workable user->root exploit but I couldn't do it.

1: You can control which cache the overflow happens on. I picked the same cache as the File struct.
2: the code writes 2 different width zeros past the allocation, one 32 bit and the other 64 bit.
3: I attempted to overflow and write the 32 bit 0 to the top half of a pointer so it would point to userland,
but I couldn't find a suitable structure to overflow into.

So if anyone plays around with this and gets a workable exploit please share the details as I'm looking to expand my exploitation knowledge, and techniques.


Thank you,
--Scott

For the poc:
gcc -pthread doublefetch.c
./a.out 7 65534 1000000 0



View attachment "doublefetch.c" of type "text/x-csrc" (3196 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ