Date: Wed, 16 Mar 2016 03:00:00 +0000 From: Justin Yackoski <jyackoski@...pto-nite.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE-2016-2117 memory disclosure to ethernet due to unchecked scatter/gather IO CVE-2016-2117 memory disclosure to ethernet due to unchecked scatter/gather IO Affects: In-tree Linux ethernet drivers: atheros/atlx/atl2.c confirmed in versions 3.8 thru 4.5 (possibly earlier) * see description for more details on other potential less severe impacts Description: When scatter/gather IO is enabled (NETIF_F_SG), the ethernet driver may be passed a list of buffers containing the packet to be sent, rather than a single contiguous buffer in order to improve performance. If a driver claims to support scatter/gather but does a simple memcpy, dma_map_single, or similar call from skb->data to skb->len the result is that the outgoing packet will be sent containing the first full fragment followed by whatever kernel memory was at the end of that first fragment. This data is likely to be other data from other skb's, but other sensitive data has been seen. If hardware checksumming is enabled, the resulting ethernet frame will be valid other than containing the disclosed memory. This bug is remotely exploitable in the atl2 driver whenever scatter/gather IO is triggered, which can be done in some common applications (pcap samples available upon request). Note that this bug was originally found in an out of tree driver (CVE-2016-2553), and may go unnoticed in similar drivers until the right conditions for scatter/gather IO are hit. Apart from the atl2 driver that can be remotely exploited, other in-tree drivers are not remotely exploitable but a local privileged user with access to kernel runtime memory may be able to cause a driver that does not check for skb fragments to start to behave improperly. Mitigation: 1) If using atl2 driver run the following at each boot (not confirmed due to lack of hardware availability): ethtool -K <ethX> sg off 2) Other drivers that don't expect scatter/gather, ensure appropriate local permissions. Recommended fixes: 1) remove NETIF_F_SG from atl2.c 2) if an ethernet driver does not handle scatter/gather, consider a run-time check for fragments in the ndo_start_xmit handler rather than a compile time-assumption for maximum security. Patches: None available currently, although in atl2 simply remove the NETIF_F_SG identifier from the hw_features of the net device structure. Credits: Justin Yackoski @ Cryptonite
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.