Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Dec 2017 00:29:09 +0000
From: Mohamed Ghannam <simo.ghannam@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition

Hi,


This is an announcement for CVE-2017-17712 which is a race condition leads
to uninitialized stack variable, this might be used to gain code execution.


The bug was introduced  here :
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c008ba5bdc9fa830e1a349b20b0be5a137bdef7a

And fixed here :
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483


#######   BUG DETAILS  ############


in net/ipv4/raw.c:

static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)

{

...

struct raw_frag_vec rfv;  [1]

...


...

if (!inet->hdrincl) {  [2]

rfv.msg = msg;

rfv.hlen = 0;


err = raw_probe_proto_opt(&rfv, &fl4);

if (err)

goto done;

}

...

...

if (inet->hdrincl)  [3]

err = raw_send_hdrinc(sk, &fl4, msg, len,

      &rt, msg->msg_flags, &ipc.sockc);


 else {

sock_tx_timestamp(sk, ipc.sockc.tsflags, &ipc.tx_flags);


if (!ipc.addr)

ipc.addr = fl4.daddr;

lock_sock(sk);

err = ip_append_data(sk, &fl4, raw_getfrag,

     &rfv, len, 0, [4]

     &ipc, &rt, msg->msg_flags);

...

}


[1] rfv is not initialized and contains a pointer to a msghdr header
structure.

[2], [3] There are multiple checks against inet->hdrincl without a lock.


When we achieve (by racing inet->hdrincl via setsockopt()) inet->hdrincl=1
in [1], and inet->hdrincl=0 in [2], rfv variable remains uninitialized and
used in [4].

By spraying the stack with controlled user data , we can take control of
msg pointer which is used later in ip_append_data().


In attachment  : poc.c + kernel panic log


#######   CREDITS  ############

Mohamed GHANNAM

Content of type "text/html" skipped

Download attachment "panic.log" of type "application/octet-stream" (2899 bytes)

View attachment "poc.c" of type "text/x-csrc" (2287 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.