Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 16 Dec 2017 00:29:09 +0000
From: Mohamed Ghannam <simo.ghannam@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition

Hi,


This is an announcement for CVE-2017-17712 which is a race condition leads
to uninitialized stack variable, this might be used to gain code execution.


The bug was introduced  here :
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c008ba5bdc9fa830e1a349b20b0be5a137bdef7a

And fixed here :
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483


#######   BUG DETAILS  ############


in net/ipv4/raw.c:

static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)

{

...

struct raw_frag_vec rfv;  [1]

...


...

if (!inet->hdrincl) {  [2]

rfv.msg = msg;

rfv.hlen = 0;


err = raw_probe_proto_opt(&rfv, &fl4);

if (err)

goto done;

}

...

...

if (inet->hdrincl)  [3]

err = raw_send_hdrinc(sk, &fl4, msg, len,

      &rt, msg->msg_flags, &ipc.sockc);


 else {

sock_tx_timestamp(sk, ipc.sockc.tsflags, &ipc.tx_flags);


if (!ipc.addr)

ipc.addr = fl4.daddr;

lock_sock(sk);

err = ip_append_data(sk, &fl4, raw_getfrag,

     &rfv, len, 0, [4]

     &ipc, &rt, msg->msg_flags);

...

}


[1] rfv is not initialized and contains a pointer to a msghdr header
structure.

[2], [3] There are multiple checks against inet->hdrincl without a lock.


When we achieve (by racing inet->hdrincl via setsockopt()) inet->hdrincl=1
in [1], and inet->hdrincl=0 in [2], rfv variable remains uninitialized and
used in [4].

By spraying the stack with controlled user data , we can take control of
msg pointer which is used later in ip_append_data().


In attachment  : poc.c + kernel panic log


#######   CREDITS  ############

Mohamed GHANNAM

Content of type "text/html" skipped

Download attachment "panic.log" of type "application/octet-stream" (2899 bytes)

View attachment "poc.c" of type "text/x-csrc" (2287 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ