Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAJedcCyz-uNq+tyK+BqG0xCD9_WOOC8nta77Up7gaOBs+pfwyA@mail.gmail.com>
Date: Fri, 18 Nov 2022 11:58:55 +0800
From: Zheng Hacker <hackerzheng666@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: staging: rtl8712: A Use-after-Free/Double-Free bug in
 read_bbreg_hdl in drivers/staging/rtl8712/rtl8712_cmd.c

hi,
This is a bug I've found in linux kernel before 5.19.2, which is
in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allows
attacker to launch Local Denial of Service attack and gain escalation
of privileges.
I reported it to linux kernel in 2022.8.29 and the upstream fixed it in
2022.09.06. Now the patch was opened to the public

## Root cause && possible exploit

This is a uaf / double free bug. Whenrtl8712 wireless networdk adapter
initialized, for example using command "ifconfig wlan0 up",
it calls netdev_open function, which final calls cmd_hdl_filter function.
As we can control the command code, we can trigger the vulnerabiliy.
After pcmd object was freed, we can use msg_msg heap spray to
get the object, and design the layout of it. By controlling the parambuf
address, we can leak infomation to pcmbuf, which will finally write to
adapater's memory. By using msg_msg tech we can also leak the information.
Then in r8712_free_cmd_obj funtion , as we have access to pcmd->parmbuf. Now
we have a Arbitrary Free bug. This is a powerful primitive and there is some
common skill after that.

## Fix

[1] https://lore.kernel.org/all/20220906132823.157986856@linuxfoundation.org/
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c53b3dcb9942b8ed7f81ee3921c4085d87070c73

## CVE

Now no CVE number is assigned for this issue.

## Timeline

2022-08-29: reported to security@...nel.org
2022-08-29: bug confirmed
2022-09-06: patch it
2022-09-06: patch released
2022-09-07: apply for a CVE number in MITRE
2022-09-29: reported to secalert@...hat.com
2022-11-18: Announced on oss-security lists.

## Credit

Zheng Wang(@xmzyshypnc) and Zhuorao Yang(@A1ex)

## Additional Information

This is a bug reported to Linux kernel. Although staging driver is not
a so important driver module in Linux. [1] This vulnerability has been
introduced as far as the driver was added in 2010. I've checked the
issue doesn't affect the vendor in the CNA-project list. But this
issue can affect othe company who use it as their rtl8712 adapter
driver module like D-link [2] . I  searched the related issue like
CVE-2021-28660. I think its NOTE description(NOTE: from the
perspective of kernel.org releases, CVE IDs are not normally used for
drivers/staging/* (unfinished work); however, system integrators may
have situations in which a drivers/staging issue is relevant to their
own customer base) is very appropriate for my situation.  This is a
long-existing issue as far as the driver module was added so I think
it's necessary to assign a CVE number so that anyone using it can fix
the bug.

[1] https://github.com/torvalds/linux/commit/2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef
[2] https://cateee.net/lkddb/web-lkddb/R8712U.html


Best regards,
Zheng Wang

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.