Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAA4i3gZUAwBc_ieNHF5qJOiQWBmmqxuqwQLthWj1aa8BkDRWkw@mail.gmail.com>
Date: Tue, 23 May 2017 18:46:45 +0000
From: Roee Hay <roeehay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux lp.c Out-of-Bounds Write via Kernel Command-line (CVE-2017-1000363)

Details
=======
Due to a missing bounds check in the lp driver, and the fact that
parport_ptr integer is static, a kernel command-line adversary (can happen
due to bootloader vulnerabilities in Secure Boot environments, e.g. Nexus
6's CVE-2016-10277) can overflow the parport_nr array in the following
code, by appending many (>LP_NO) lp=none arguments to the command line.
CONFIG_PRINTER=y is required.

static int parport_nr[LP_NO] = { [0 ... LP_NO-1] = LP_PARPORT_UNSPEC };
static char *parport[LP_NO];
[...]
#ifndef MODULE
static int __init lp_setup (char *str)
{
static int parport_ptr;
[...]
} else if (!strncmp(str, "parport", 7)) {
    int n = simple_strtoul(str+7, NULL, 10);
    if (parport_ptr < LP_NO)
        parport_nr[parport_ptr++] = n;
    else
        printk(KERN_INFO "lp: too many ports, %s ignored.\n",
               str);
} else if (!strcmp(str, "auto")) {
    parport_nr[0] = LP_PARPORT_AUTO;
} else if (!strcmp(str, "none")) {
    parport_nr[parport_ptr++] = LP_PARPORT_NONE;
[...]
#endif
[...]
__setup("lp=", lp_setup);


Vulnerable:
=======
Linux 4.x (4.12-rc1 and below)
Linux 3.x
Linux 2.6.x
Linux 2.4.x
Linux 2.2.x

Patch:
======
https://github.com/torvalds/linux/commit/3e21f4af170bebf47c187c1ff8bf155583c9f3b1


Timeline:
=========
23-May-17: Public disclosure.
22-May-17: Patch available (Linux mainline 4.12-rc2).
17-May-17: CVE-2017-1000363 assigned by Kurt Seifried, Red Hat Product
Security.
16-May-17: Patch available (Linux Char/Misc drivers development tree).
16-May-17: Reported.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.