|
Message-ID: <CAA4i3gZUAwBc_ieNHF5qJOiQWBmmqxuqwQLthWj1aa8BkDRWkw@mail.gmail.com> Date: Tue, 23 May 2017 18:46:45 +0000 From: Roee Hay <roeehay@...il.com> To: oss-security@...ts.openwall.com Subject: Linux lp.c Out-of-Bounds Write via Kernel Command-line (CVE-2017-1000363) Details ======= Due to a missing bounds check in the lp driver, and the fact that parport_ptr integer is static, a kernel command-line adversary (can happen due to bootloader vulnerabilities in Secure Boot environments, e.g. Nexus 6's CVE-2016-10277) can overflow the parport_nr array in the following code, by appending many (>LP_NO) lp=none arguments to the command line. CONFIG_PRINTER=y is required. static int parport_nr[LP_NO] = { [0 ... LP_NO-1] = LP_PARPORT_UNSPEC }; static char *parport[LP_NO]; [...] #ifndef MODULE static int __init lp_setup (char *str) { static int parport_ptr; [...] } else if (!strncmp(str, "parport", 7)) { int n = simple_strtoul(str+7, NULL, 10); if (parport_ptr < LP_NO) parport_nr[parport_ptr++] = n; else printk(KERN_INFO "lp: too many ports, %s ignored.\n", str); } else if (!strcmp(str, "auto")) { parport_nr[0] = LP_PARPORT_AUTO; } else if (!strcmp(str, "none")) { parport_nr[parport_ptr++] = LP_PARPORT_NONE; [...] #endif [...] __setup("lp=", lp_setup); Vulnerable: ======= Linux 4.x (4.12-rc1 and below) Linux 3.x Linux 2.6.x Linux 2.4.x Linux 2.2.x Patch: ====== https://github.com/torvalds/linux/commit/3e21f4af170bebf47c187c1ff8bf155583c9f3b1 Timeline: ========= 23-May-17: Public disclosure. 22-May-17: Patch available (Linux mainline 4.12-rc2). 17-May-17: CVE-2017-1000363 assigned by Kurt Seifried, Red Hat Product Security. 16-May-17: Patch available (Linux Char/Misc drivers development tree). 16-May-17: Reported.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.