Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFcO6XMiLJqwy=QW0Mv-yruhytSFRwb3yJsdMRVg3Gghm_5u7g@mail.gmail.com>
Date: Wed, 25 Aug 2021 10:40:29 +0800
From: butt3rflyh4ck <butterflyhuangxx@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: qrtr: another out-of-bound Read in
 qrtr_endpoint_post in net/qrtr/qrtr.c

Hi, There was another out-of-bound read bug in qrtr_endpoint_post in
net/qrtr/qrtr.c in 5.14.0-rc6+ and reproduced it.

This check in  qrtr_endpoint_post was incomplete, did not consider size is 0:
```
if (len != ALIGN(size, 4) + hdrlen)
                goto err;
```
if size from qrtr_hdr is 0, the result of ALIGN(size, 4) will be 0,
In case of len == hdrlen and size == 0 in header this check won't fail and
```
 if (cb->type == QRTR_TYPE_NEW_SERVER) { /* Remote node endpoint can
bridge other distant nodes */
             const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
             qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
 }
```
will also read out of bound from data, which is hdrlen allocated block.


#analyze and some details
https://lists.openwall.net/netdev/2021/08/17/124

#patch
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e78c597c3eb
now not available upstream.

#Timeline
*2021/8/17 - Vulnerability reported to netdev@...r.kernel.org.
*2021/8/20 - Vulnerability confirmed and patched.
*2021/8/23 - Vulnerability reported to secalert@...hat.com.
*2021/8/25 - Opened on oss-security@...ts.openwall.com.

#Credit
Active Defense Lab of Venustech.


Regards,
 butt3rflyh4ck.

--
Active Defense Lab of Venustech

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.