oss-sec mailing list archives
Linux lp.c Out-of-Bounds Write via Kernel Command-line (CVE-2017-1000363)
From: Roee Hay <roeehay () gmail com>
Date: Tue, 23 May 2017 18:46:45 +0000
Details ======= Due to a missing bounds check in the lp driver, and the fact that parport_ptr integer is static, a kernel command-line adversary (can happen due to bootloader vulnerabilities in Secure Boot environments, e.g. Nexus 6's CVE-2016-10277) can overflow the parport_nr array in the following code, by appending many (>LP_NO) lp=none arguments to the command line. CONFIG_PRINTER=y is required. static int parport_nr[LP_NO] = { [0 ... LP_NO-1] = LP_PARPORT_UNSPEC }; static char *parport[LP_NO]; [...] #ifndef MODULE static int __init lp_setup (char *str) { static int parport_ptr; [...] } else if (!strncmp(str, "parport", 7)) { int n = simple_strtoul(str+7, NULL, 10); if (parport_ptr < LP_NO) parport_nr[parport_ptr++] = n; else printk(KERN_INFO "lp: too many ports, %s ignored.\n", str); } else if (!strcmp(str, "auto")) { parport_nr[0] = LP_PARPORT_AUTO; } else if (!strcmp(str, "none")) { parport_nr[parport_ptr++] = LP_PARPORT_NONE; [...] #endif [...] __setup("lp=", lp_setup); Vulnerable: ======= Linux 4.x (4.12-rc1 and below) Linux 3.x Linux 2.6.x Linux 2.4.x Linux 2.2.x Patch: ====== https://github.com/torvalds/linux/commit/3e21f4af170bebf47c187c1ff8bf155583c9f3b1 Timeline: ========= 23-May-17: Public disclosure. 22-May-17: Patch available (Linux mainline 4.12-rc2). 17-May-17: CVE-2017-1000363 assigned by Kurt Seifried, Red Hat Product Security. 16-May-17: Patch available (Linux Char/Misc drivers development tree). 16-May-17: Reported.
Current thread:
- Linux lp.c Out-of-Bounds Write via Kernel Command-line (CVE-2017-1000363) Roee Hay (May 23)