Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 21 Nov 2022 07:39:20 -0300
From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: Linux kernel: staging: rtl8712: A
 Use-after-Free/Double-Free bug in read_bbreg_hdl in
 drivers/staging/rtl8712/rtl8712_cmd.c

On Fri, Nov 18, 2022 at 11:58:55AM +0800, Zheng Hacker wrote:
> hi,
> This is a bug I've found in linux kernel before 5.19.2, which is
> in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allows
> attacker to launch Local Denial of Service attack and gain escalation
> of privileges.
> I reported it to linux kernel in 2022.8.29 and the upstream fixed it in
> 2022.09.06. Now the patch was opened to the public
> 
> ## Root cause && possible exploit
> 
> This is a uaf / double free bug. Whenrtl8712 wireless networdk adapter
> initialized, for example using command "ifconfig wlan0 up",
> it calls netdev_open function, which final calls cmd_hdl_filter function.
> As we can control the command code, we can trigger the vulnerabiliy.
> After pcmd object was freed, we can use msg_msg heap spray to
> get the object, and design the layout of it. By controlling the parambuf
> address, we can leak infomation to pcmbuf, which will finally write to
> adapater's memory. By using msg_msg tech we can also leak the information.
> Then in r8712_free_cmd_obj funtion , as we have access to pcmd->parmbuf. Now
> we have a Arbitrary Free bug. This is a powerful primitive and there is some
> common skill after that.
> 
> ## Fix
> 
> [1] https://lore.kernel.org/all/20220906132823.157986856@linuxfoundation.org/
> [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c53b3dcb9942b8ed7f81ee3921c4085d87070c73
> 
> ## CVE
> 
> Now no CVE number is assigned for this issue.
> 

This was assigned CVE-2022-4095.

Regards.
Cascardo.

> ## Timeline
> 
> 2022-08-29: reported to security@...nel.org
> 2022-08-29: bug confirmed
> 2022-09-06: patch it
> 2022-09-06: patch released
> 2022-09-07: apply for a CVE number in MITRE
> 2022-09-29: reported to secalert@...hat.com
> 2022-11-18: Announced on oss-security lists.
> 
> ## Credit
> 
> Zheng Wang(@xmzyshypnc) and Zhuorao Yang(@A1ex)
> 
> ## Additional Information
> 
> This is a bug reported to Linux kernel. Although staging driver is not
> a so important driver module in Linux. [1] This vulnerability has been
> introduced as far as the driver was added in 2010. I've checked the
> issue doesn't affect the vendor in the CNA-project list. But this
> issue can affect othe company who use it as their rtl8712 adapter
> driver module like D-link [2] . I  searched the related issue like
> CVE-2021-28660. I think its NOTE description(NOTE: from the
> perspective of kernel.org releases, CVE IDs are not normally used for
> drivers/staging/* (unfinished work); however, system integrators may
> have situations in which a drivers/staging issue is relevant to their
> own customer base) is very appropriate for my situation.  This is a
> long-existing issue as far as the driver module was added so I think
> it's necessary to assign a CVE number so that anyone using it can fix
> the bug.
> 
> [1] https://github.com/torvalds/linux/commit/2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef
> [2] https://cateee.net/lkddb/web-lkddb/R8712U.html
> 
> 
> Best regards,
> Zheng Wang

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.