|
Message-ID: <Y3tVWDWwK6b5a3c6@quatroqueijos.cascardo.eti.br> Date: Mon, 21 Nov 2022 07:39:20 -0300 From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: Linux kernel: staging: rtl8712: A Use-after-Free/Double-Free bug in read_bbreg_hdl in drivers/staging/rtl8712/rtl8712_cmd.c On Fri, Nov 18, 2022 at 11:58:55AM +0800, Zheng Hacker wrote: > hi, > This is a bug I've found in linux kernel before 5.19.2, which is > in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allows > attacker to launch Local Denial of Service attack and gain escalation > of privileges. > I reported it to linux kernel in 2022.8.29 and the upstream fixed it in > 2022.09.06. Now the patch was opened to the public > > ## Root cause && possible exploit > > This is a uaf / double free bug. Whenrtl8712 wireless networdk adapter > initialized, for example using command "ifconfig wlan0 up", > it calls netdev_open function, which final calls cmd_hdl_filter function. > As we can control the command code, we can trigger the vulnerabiliy. > After pcmd object was freed, we can use msg_msg heap spray to > get the object, and design the layout of it. By controlling the parambuf > address, we can leak infomation to pcmbuf, which will finally write to > adapater's memory. By using msg_msg tech we can also leak the information. > Then in r8712_free_cmd_obj funtion , as we have access to pcmd->parmbuf. Now > we have a Arbitrary Free bug. This is a powerful primitive and there is some > common skill after that. > > ## Fix > > [1] https://lore.kernel.org/all/20220906132823.157986856@linuxfoundation.org/ > [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c53b3dcb9942b8ed7f81ee3921c4085d87070c73 > > ## CVE > > Now no CVE number is assigned for this issue. > This was assigned CVE-2022-4095. Regards. Cascardo. > ## Timeline > > 2022-08-29: reported to security@...nel.org > 2022-08-29: bug confirmed > 2022-09-06: patch it > 2022-09-06: patch released > 2022-09-07: apply for a CVE number in MITRE > 2022-09-29: reported to secalert@...hat.com > 2022-11-18: Announced on oss-security lists. > > ## Credit > > Zheng Wang(@xmzyshypnc) and Zhuorao Yang(@A1ex) > > ## Additional Information > > This is a bug reported to Linux kernel. Although staging driver is not > a so important driver module in Linux. [1] This vulnerability has been > introduced as far as the driver was added in 2010. I've checked the > issue doesn't affect the vendor in the CNA-project list. But this > issue can affect othe company who use it as their rtl8712 adapter > driver module like D-link [2] . I searched the related issue like > CVE-2021-28660. I think its NOTE description(NOTE: from the > perspective of kernel.org releases, CVE IDs are not normally used for > drivers/staging/* (unfinished work); however, system integrators may > have situations in which a drivers/staging issue is relevant to their > own customer base) is very appropriate for my situation. This is a > long-existing issue as far as the driver module was added so I think > it's necessary to assign a CVE number so that anyone using it can fix > the bug. > > [1] https://github.com/torvalds/linux/commit/2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef > [2] https://cateee.net/lkddb/web-lkddb/R8712U.html > > > Best regards, > Zheng Wang
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.