Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 15 Jun 2021 22:33:18 +0200
From: Norbert Slusarek <nslusarek@....net>
To: oss-security@...ts.openwall.com
Cc: socketcan@...tkopp.net, mkl@...gutronix.de, menschel.p@...teo.de
Subject: CVE-2021-34693: Infoleak in CAN BCM protocol in Linux kernel

Hello,

this is an announcement for recently reported infoleaks in the CAN BCM
networking protocol in the Linux kernel.

The vulnerability has been assigned CVE-2021-34693 and was found in kernels
ranging from 2.6.25-rc1 to 5.12.10.

The infoleak can be found in struct bcm_msg_head, which is a structure used to
describe CAN BCM messages. Due to an automatically introduced padding,
the structure contains a 4-byte hole which is never initialized. The 4-byte hole
will contain data from the kernel stack as the structure is allocated on the
stack. Depending on the architecture, the leak happens at different places
within the structure.

On 64-bit systems,
the 4-byte hole can be found between struct members count and ival1.
In this case, kernel addresses can be partially revealed.

On 32-bit systems,
the 4-byte hole can be found between struct members nframes and frames[0].
In this case, kernel addresses can be fully revealed, resulting in a feasible
KASLR bypass.

The leak can be reached by an unprivileged user by
reproducing the following steps:

- open and connect a CAN BCM socket
- sendmsg() with RX_SETUP on socket to setup CAN BCM message receiver
- message will be received by the message receiver, packed with struct
  bcm_msg_head and queued for reception
- recvmsg() to receive the message, finally leaking the uninitialized bytes to
  userspace

The patch can be found in the link below or in the attachments.
https://lore.kernel.org/netdev/trinity-87eaea25-2a7d-4aa9-92a5-269b822e5d95-1623609211076@3c-app-gmx-bs04/T/#me01c68ad3b6784f533f1b1509c95943bb5911457

A short PoC can be found in the link below or in the attachments.
https://github.com/nrb547/kernel-exploitation/tree/main/cve-2021-34693

Credits go out to Norbert Slusarek and Patrick Menschel.

View attachment "0001-fix-infoleak.patch" of type "text/x-patch" (1851 bytes)

View attachment "poc.c" of type "text/plain" (1543 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.