Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 20 Feb 2018 12:19:13 +0000
From: Mohamed Ghannam <simo.ghannam@...il.com>
To: alex.popov@...ux.com
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition

Hi,

It looks great!, awesome work

Cheers,
Mohamed

2018-02-20 9:45 GMT+00:00 Alexander Popov <alex.popov@...ux.com>:

> Hello Mohamed,
>
> On 16.12.2017 03:29, Mohamed Ghannam wrote:
> > Hi,
> >
> > This is an announcement for CVE-2017-17712 which is a race condition
> leads to
> > uninitialized stack variable, this might be used to gain code execution.
> >
> > The bug was introduced  here
> > : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/
> linux.git/commit/?id=c008ba5bdc9fa830e1a349b20b0be5a137bdef7a
> >
> > And fixed here :
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/
> linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
>
> Thanks a lot for your report, PoC and patch fixing the issue. Really great!
>
> The exploitation of this kind of vulnerabilities should be blocked by
> STACKLEAK.
>
> STACKLEAK is a Linux kernel hardening feature initially developed by
> Grsecurity/PaX. I'm doing my best to introduce it to the mainline kernel:
> http://www.openwall.com/lists/kernel-hardening/2018/02/16/2
>
> > By spraying the stack with controlled user data , we can take control of
> msg
> > pointer which is used later in ip_append_data().
>
> I've tested your PoC against the kernel with STACKLEAK. The msg pointer is
> now
> initialized with STACKLEAK_POISON (-0xBEEF), which points to the unused
> hole in
> the virtual memory map.
>
> So the access to msg->msg_iter gives the following:
>
> [    8.806868] BUG: unable to handle kernel paging request at
> ffffffffffff4121
> [    8.807738] IP: csum_and_copy_from_iter_full+0x2d/0x400
> [    8.807738] PGD 220c067 P4D 220c067 PUD 220e067 PMD 0
> [    8.807738] Oops: 0000 [#1] SMP PTI
> [    8.807738] Dumping ftrace buffer:
> [    8.807738]    (ftrace buffer empty)
> [    8.807738] Modules linked in:
> [    8.807738] CPU: 0 PID: 2893 Comm: poc Not tainted 4.16.0-rc1+ #4
> [    8.807738] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> Ubuntu-1.8.2-1ubuntu1 04/01/2014
> [    8.807738] RIP: 0010:csum_and_copy_from_iter_full+0x2d/0x400
> [    8.807738] RSP: 0018:ffffc900015679c0 EFLAGS: 00010246
> [    8.807738] RAX: 0000000000000000 RBX: 0000000000006400 RCX:
> ffffffffffff4121
> [    8.807738] RDX: ffffc90001567a44 RSI: 0000000000006400 RDI:
> ffff88003d398024
> [    8.807738] RBP: ffffffffffff4111 R08: 0000000000000000 R09:
> ffff88003d0291c0
> [    8.807738] R10: 0000000000000000 R11: 0000000000000001 R12:
> 0000000000000000
> [    8.807738] R13: ffffffffffff4121 R14: 0000000000006400 R15:
> ffff88003d2e6b10
> [    8.807738] FS:  00007f671dff4700(0000) GS:ffff88003ec00000(0000)
> knlGS:0000000000000000
> [    8.807738] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [    8.807738] CR2: ffffffffffff4121 CR3: 000000003e044000 CR4:
> 00000000000006f0
> [    8.807738] Call Trace:
> [    8.807738]  ? __kmalloc_reserve.isra.41+0x32/0x80
> [    8.807738]  ip_generic_getfrag+0x84/0xc0
> [    8.807738]  __ip_append_data.isra.48+0x69c/0x8a0
> [    8.807738]  ? raw_destroy+0x20/0x20
> [    8.807738]  ? raw_destroy+0x20/0x20
> [    8.807738]  ip_append_data.part.50+0x6f/0xd0
> [    8.807738]  raw_sendmsg+0x432/0xa30
> [    8.807738]  ? _copy_from_user+0x44/0x70
> [    8.807738]  ? rw_copy_check_uvector+0x5b/0x110
> [    8.807738]  sock_sendmsg+0x37/0x40
> [    8.807738]  ___sys_sendmsg+0x269/0x2c0
> [    8.807738]  ? __sys_sendmsg+0x55/0x90
> [    8.807738]  __sys_sendmsg+0x55/0x90
> [    8.807738]  do_syscall_64+0x63/0x120
> [    8.807738]  entry_SYSCALL_64_after_hwframe+0x21/0x86
> [    8.807738] RIP: 0033:0x7f6780c68e90
> [    8.807738] RSP: 002b:00007f671dff3f00 EFLAGS: 00000293 ORIG_RAX:
> 000000000000002e
> [    8.807738] RAX: ffffffffffffffda RBX: 0000000000000003 RCX:
> 00007f6780c68e90
> [    8.807738] RDX: 0000000000000000 RSI: 0000000001ec6010 RDI:
> 0000000000000003
> [    8.807738] RBP: 0000000001ec6010 R08: 0000000000000000 R09:
> 00007f671dff4700
> [    8.807738] R10: 00007f671dff3f40 R11: 0000000000000293 R12:
> 0000000000000000
> [    8.807738] R13: 00007ffcbe8d1c9f R14: 0000000000000000 R15:
> 00007f6781099040
> [    8.807738] Code: 41 56 49 89 f6 41 55 41 54 49 89 cd 55 53 48 83 ec 48
> 65 48
> 8b 04 25 28 00 00 00 48 89 44 24 40 31 c0 48 89 7c 24 08 48 89 14 24 <41>
> 8b 45
> 00 a8 08 0f 85 58 01 00 00 4d 39 75 10 72 79 48 8b 3c
> [    8.807738] RIP: csum_and_copy_from_iter_full+0x2d/0x400 RSP:
> ffffc900015679c0
> [    8.807738] CR2: ffffffffffff4121
> [    8.807738] ---[ end trace d60ea40e033c90b3 ]---
>
>
> Do you think the attacker is able to bypass it?
> Thanks a lot again!
>
> Best regards,
> Alexander
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.