Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <BY2PR15MB0728301B880CC40FFD658066E98A0@BY2PR15MB0728.namprd15.prod.outlook.com>
Date: Wed, 16 Mar 2016 03:00:00 +0000
From: Justin Yackoski <jyackoski@...pto-nite.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-2117 memory disclosure to ethernet due to unchecked
 scatter/gather IO

CVE-2016-2117 memory disclosure to ethernet due to unchecked scatter/gather IO


Affects:

In-tree Linux ethernet drivers:

atheros/atlx/atl2.c  confirmed in versions 3.8 thru 4.5 (possibly earlier)

* see description for more details on other potential less severe impacts


Description:

When scatter/gather IO is enabled (NETIF_F_SG), the ethernet driver may be passed a

list of buffers containing the packet to be sent, rather than a single contiguous buffer

in order to improve performance.  If a driver claims to support scatter/gather but does

a simple memcpy, dma_map_single, or similar call from skb->data to skb->len the result

is that the outgoing packet will be sent containing the first full fragment followed by

whatever kernel memory was at the end of that first fragment.  This data is likely to be

other data from other skb's, but other sensitive data has been seen.  If hardware

checksumming is enabled, the resulting ethernet frame will be valid other than containing

the disclosed memory.


This bug is remotely exploitable in the atl2 driver whenever scatter/gather IO is triggered,

which can be done in some common applications (pcap samples available upon request).


Note that this bug was originally found in an out of tree driver (CVE-2016-2553), and may

go unnoticed in similar drivers until the right conditions for scatter/gather IO are hit.


Apart from the atl2 driver that can be remotely exploited, other in-tree drivers are not

remotely exploitable but a local privileged user with access to kernel runtime memory

may be able to cause a driver that does not check for skb fragments to start to behave

improperly.


Mitigation:

1) If using atl2 driver run the following at each boot (not confirmed due to lack of hardware

          availability):

    ethtool -K <ethX> sg off

2) Other drivers that don't expect scatter/gather, ensure appropriate local permissions.


Recommended fixes:

1) remove NETIF_F_SG from atl2.c

2) if an ethernet driver does not handle scatter/gather, consider a run-time check for

     fragments in the ndo_start_xmit handler rather than a compile time-assumption for maximum

     security.


Patches:

None available currently, although in atl2 simply remove the NETIF_F_SG identifier from the

hw_features of the net device structure.


Credits:

Justin Yackoski @ Cryptonite

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.