Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 25 Jul 2019 10:29:53 -0400
From: Brad Spengler <spender@...ecurity.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2019-10207: linux kernel: bluetooth:
 hci_uart: 0x0 address execution as nonprivileged user

Hi,

https://twitter.com/grsecurity/status/1154397455267586050

"The only "direct" ones in hci_ath.c (ath_wakeup_ar3k) are also done in 
worker context: ath_hci_uart_work(), created from ath_open().  Looks 
like just a DoS then"

Thanks,
-Brad

On Thu, Jul 25, 2019 at 02:46:19PM +0200, Andrey Konovalov wrote:
> On Thu, Jul 25, 2019 at 2:32 PM Vladis Dronov <vdronov@...hat.com> wrote:
> >
> > Hello,
> >
> > It was found (by the syzkaller initially) that a 0x0 address execution is
> > possible as nonprivileged user in the latest Linux kernel (considering
> > protection measures like SMEP, vm.mmap_min_addr, etc are disabled).
> >
> > The Linux kernel must have any of following config options enabled:
> >
> > CONFIG_BT_HCIUART_MRVL (easy to hit)
> > CONFIG_BT_HCIUART_QCA (hard to hit)
> > CONFIG_BT_HCIUART_BCM
> > CONFIG_BT_HCIUART_INTEL
> > CONFIG_BT_HCIUART_ATH3K
> >
> > The suggested fix is posted at:
> >
> > https://lore.kernel.org/linux-bluetooth/20190725120909.31235-1-vdronov@redhat.com/T/#u
> >
> > The bug and the reproducer are public, as they were found by the syzcaller
> > several months ago:
> >
> > https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50
> >
> > CVE-2019-10207 was assigned to this bug.
> >
> > $ id
> > uid=1000(vladis) gid=1000(vladis) groups=1000(vladis)
> > $ uname -r
> > 5.2.0
> > $ ./hci-proto-crash 11
> > proto = 11
> > ioctl(SET_HCI_UART_PROTO): Success
> > [   99.894572] BUG: kernel NULL pointer dereference, address: 0000000000000000
> > [   99.897287] #PF: supervisor instruction fetch in kernel mode
> > [   99.897863] #PF: error_code(0x0010) - not-present page
> > [   99.898389] PGD 0 P4D 0
> > [   99.899036] Oops: 0010 [#1] SMP
> > [   99.899795] CPU: 2 PID: 691 Comm: kworker/u17:0 Not tainted 5.2.0 #23
> > [   99.900836] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
> > [   99.902912] Workqueue: hci0 hci_power_on
> > [   99.903673] RIP: 0010:0x0
> > [   99.904416] Code: Bad RIP value.
> > [   99.905137] RSP: 0018:ffff92d8822c7d98 EFLAGS: 00010246
> > [   99.906014] RAX: ffffffff97e7a3e0 RBX: ffff8af7b5dd9e00 RCX: 00000000000010b2
> > [   99.907075] RDX: 00000000ffffffff RSI: ffff92d8822c7d44 RDI: ffff8af7b46c0400
> > [   99.908127] RBP: ffff8af7b46c0400 R08: 0000000000000000 R09: 000000000001cb00
> > [   99.909232] R10: 000000000000001e R11: 000000000001b900 R12: ffff8af7b45d4000
> > [   99.910332] R13: ffff8af7b45d4a08 R14: 0000000000000000 R15: 0ffff8af7b167ad0
> > [   99.911452] FS:  0000000000000000(0000) GS:ffff8af7b7880000(0000) knlGS:0000000000000000
> > [   99.912709] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [   99.913682] CR2: ffffffffffffffd6 CR3: 000000007060a003 CR4: 00000000001606e0
> > [   99.914764] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > [   99.915830] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > [   99.916877] Call Trace:
> > [   99.917538]  hci_uart_set_flow_control+0x149/0x1b0
> > [   99.918441]  mrvl_setup+0xe/0x70
> > [   99.919209]  hci_dev_do_open+0x1eb/0x690
> > [   99.920013]  ? sched_clock+0x5/0x10
> > [   99.920784]  hci_power_on+0x45/0x250
> > [   99.921549]  ? __wake_up_common_lock+0x87/0xc0
> > [   99.922399]  process_one_work+0x1c4/0x3a0
> > [   99.923230]  worker_thread+0x45/0x3c0
> > [   99.924019]  kthread+0xf3/0x130
> > [   99.924735]  ? trace_event_raw_event_workqueue_execute_start+0xb0/0xb0
> > [   99.925755]  ? kthread_park+0x80/0x80
> > [   99.926546]  ret_from_fork+0x1f/0x30
> > [   99.927399] Modules linked in:
> > [   99.928152] CR2: 0000000000000000
> > [   99.928882] ---[ end trace 577d1af3066a9585 ]---
> 
> Does this always happen in a worker thread? Does this therefore mean
> that this is not exploitable by a local user even if vm.mmap_min_addr
> and SMEP/SMAP are disabled, since the user can't mmap zero page in the
> worker thread context?
> 
> >
> > Best regards,
> > Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.