Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 5 Nov 2023 18:36:52 +0100
From: Solar Designer <solar@...nwall.com>
To: Pietro Borrello <borrello@...g.uniroma1.it>
Cc: oss-security@...ts.openwall.com
Subject: Re: Linux Kernel: hid: type confusions on hid report_list entry

On Tue, Jan 17, 2023 at 06:05:30PM +0100, Pietro Borrello wrote:
> We found potential misuses of list_entry() on lists in hid driver
> code that are not checked, specifically hid_validate_values() in
> drivers/hid/hid-core.c and bigben_probe() in drivers/hid/hid-bigbenff.c.
> Issuing a list_entry() on an empty list causes a type confusion making
> the list_entry point to the list_head itself.
> The most impactful seems the missing check for an empty list in
> hid_validate_values() which is supposed to check the validity of the
> reports themselves, potentially affecting all the drivers that rely on it.
> 
> The problem is caused by the driver's assumption that the device must
> have a valid report_list. While this will be true for all normal HID
> devices, a suitably malicious device can violate the assumption.
> 
> At a first glance, it may seem that the patches have security implications.
> However, when plugging a device which provides a descriptor with no output
> report, the type confusions will create a fake struct hid_report*
> which points to ((struct hid_device *)hid).report_enum[type].report_list.
> This, by chance, makes the type confused structure to span
> the `struct hid_report* report_id_hash[256]` array in the
> ((struct hid_device *)hid).report_enum[type] field.
> 
> Then, due to their semantics hid_validate_values() will check
> (report->maxfield > field_index) on the type-confused report,
> and the maxfield field happens to overlap on the
> report_id_hash[] array in the report_enum[type] field
> which are all NULL since we provided no reports.
> Similarly, for bigben_probe(), the confused report entry is
> used in the bigben_worker() function which checks
> (report->field[0] != NULL) that, again, overlaps with a NULL
> pointer.
> It seems there is a commit (918aa1ef104d: "HID: bigbenff: prevent
> null pointer dereference") which added the check for report_field
> being NULL to bigben_worker() to prevent crashing, but without
> checking the actual root cause.
> 
> Thus, while being type confusions bugs, they are not exploitable.
> The list checks should be added also to prevent future exploitability
> if the shape of the structure changes (e.g., structure layout
> randomization), and they do not overlap anymore with NULL pointers.
> In this case, it is not exploitable just by the pure chance of struct
> member ordering.
> 
> This post has been written in accordance with linux-distros rules to
> which we disclosed the initial findings of the potential vulnerabilities.
> as even if the bugs seem not exploitable, the wider community on
> oss-security might see how the issue does have security relevance.
> 
> We submitted patches to fix the issue by checking that the lists
> are non-empty before allowing them to be used:
> https://lore.kernel.org/all/20230114-hid-fix-emmpty-report-list-v1-0-e4d02fad3ba5@diag.uniroma1.it/T/

This was assigned CVE-2023-1073, which also covers a bug mentioned in
another oss-security posting below:

CVE-2023-1073 - Type Confusion in hid_validate_values()
patch:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b12fece4c64857e5fab4290bf01b2e0317a88456
oss-security: https://www.openwall.com/lists/oss-security/2023/01/17/3

CVE-2023-1073 - Type Confusion in bigben_probe()
patch:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=c7bf714f875531f227f2ef1fdcc8f4d44e7c7d9d
oss-security: https://www.openwall.com/lists/oss-security/2023/01/17/3

CVE-2023-1073 - NULL Ptr Deref in betopff_init()
patch:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=3782c0d6edf658b71354a64d60aa7a296188fc90
oss-security: https://www.openwall.com/lists/oss-security/2023/01/18/3

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.