oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition

From: Alexander Popov <alex.popov () linux com>
Date: Tue, 20 Feb 2018 12:45:13 +0300
Hello Mohamed,

On 16.12.2017 03:29, Mohamed Ghannam wrote:

Hi,

This is an announcement for CVE-2017-17712 which is a race condition leads to
uninitialized stack variable, this might be used to gain code execution.

The bug was introduced  here
: 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c008ba5bdc9fa830e1a349b20b0be5a137bdef7a

And fixed here :
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483


Thanks a lot for your report, PoC and patch fixing the issue. Really great!

The exploitation of this kind of vulnerabilities should be blocked by STACKLEAK.

STACKLEAK is a Linux kernel hardening feature initially developed by
Grsecurity/PaX. I'm doing my best to introduce it to the mainline kernel:
http://www.openwall.com/lists/kernel-hardening/2018/02/16/2


By spraying the stack with controlled user data , we can take control of msg
pointer which is used later in ip_append_data().


I've tested your PoC against the kernel with STACKLEAK. The msg pointer is now
initialized with STACKLEAK_POISON (-0xBEEF), which points to the unused hole in
the virtual memory map.

So the access to msg->msg_iter gives the following:

[    8.806868] BUG: unable to handle kernel paging request at ffffffffffff4121
[    8.807738] IP: csum_and_copy_from_iter_full+0x2d/0x400
[    8.807738] PGD 220c067 P4D 220c067 PUD 220e067 PMD 0
[    8.807738] Oops: 0000 [#1] SMP PTI
[    8.807738] Dumping ftrace buffer:
[    8.807738]    (ftrace buffer empty)
[    8.807738] Modules linked in:
[    8.807738] CPU: 0 PID: 2893 Comm: poc Not tainted 4.16.0-rc1+ #4
[    8.807738] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[    8.807738] RIP: 0010:csum_and_copy_from_iter_full+0x2d/0x400
[    8.807738] RSP: 0018:ffffc900015679c0 EFLAGS: 00010246
[    8.807738] RAX: 0000000000000000 RBX: 0000000000006400 RCX: ffffffffffff4121
[    8.807738] RDX: ffffc90001567a44 RSI: 0000000000006400 RDI: ffff88003d398024
[    8.807738] RBP: ffffffffffff4111 R08: 0000000000000000 R09: ffff88003d0291c0
[    8.807738] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
[    8.807738] R13: ffffffffffff4121 R14: 0000000000006400 R15: ffff88003d2e6b10
[    8.807738] FS:  00007f671dff4700(0000) GS:ffff88003ec00000(0000)
knlGS:0000000000000000
[    8.807738] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    8.807738] CR2: ffffffffffff4121 CR3: 000000003e044000 CR4: 00000000000006f0
[    8.807738] Call Trace:
[    8.807738]  ? __kmalloc_reserve.isra.41+0x32/0x80
[    8.807738]  ip_generic_getfrag+0x84/0xc0
[    8.807738]  __ip_append_data.isra.48+0x69c/0x8a0
[    8.807738]  ? raw_destroy+0x20/0x20
[    8.807738]  ? raw_destroy+0x20/0x20
[    8.807738]  ip_append_data.part.50+0x6f/0xd0
[    8.807738]  raw_sendmsg+0x432/0xa30
[    8.807738]  ? _copy_from_user+0x44/0x70
[    8.807738]  ? rw_copy_check_uvector+0x5b/0x110
[    8.807738]  sock_sendmsg+0x37/0x40
[    8.807738]  ___sys_sendmsg+0x269/0x2c0
[    8.807738]  ? __sys_sendmsg+0x55/0x90
[    8.807738]  __sys_sendmsg+0x55/0x90
[    8.807738]  do_syscall_64+0x63/0x120
[    8.807738]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[    8.807738] RIP: 0033:0x7f6780c68e90
[    8.807738] RSP: 002b:00007f671dff3f00 EFLAGS: 00000293 ORIG_RAX:
000000000000002e
[    8.807738] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6780c68e90
[    8.807738] RDX: 0000000000000000 RSI: 0000000001ec6010 RDI: 0000000000000003
[    8.807738] RBP: 0000000001ec6010 R08: 0000000000000000 R09: 00007f671dff4700
[    8.807738] R10: 00007f671dff3f40 R11: 0000000000000293 R12: 0000000000000000
[    8.807738] R13: 00007ffcbe8d1c9f R14: 0000000000000000 R15: 00007f6781099040
[    8.807738] Code: 41 56 49 89 f6 41 55 41 54 49 89 cd 55 53 48 83 ec 48 65 48
8b 04 25 28 00 00 00 48 89 44 24 40 31 c0 48 89 7c 24 08 48 89 14 24 <41> 8b 45
00 a8 08 0f 85 58 01 00 00 4d 39 75 10 72 79 48 8b 3c
[    8.807738] RIP: csum_and_copy_from_iter_full+0x2d/0x400 RSP: ffffc900015679c0
[    8.807738] CR2: ffffffffffff4121
[    8.807738] ---[ end trace d60ea40e033c90b3 ]---


Do you think the attacker is able to bypass it?
Thanks a lot again!

Best regards,
Alexander
Previous By Date Next
Previous By Thread Next

Current thread: