![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
Re: CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition
From: Alexander Popov <alex.popov () linux com>
Date: Tue, 20 Feb 2018 12:45:13 +0300
Hello Mohamed, On 16.12.2017 03:29, Mohamed Ghannam wrote:
Hi, This is an announcement for CVE-2017-17712 which is a race condition leads to uninitialized stack variable, this might be used to gain code execution. The bug was introduced here : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c008ba5bdc9fa830e1a349b20b0be5a137bdef7a And fixed here : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
Thanks a lot for your report, PoC and patch fixing the issue. Really great! The exploitation of this kind of vulnerabilities should be blocked by STACKLEAK. STACKLEAK is a Linux kernel hardening feature initially developed by Grsecurity/PaX. I'm doing my best to introduce it to the mainline kernel: http://www.openwall.com/lists/kernel-hardening/2018/02/16/2
By spraying the stack with controlled user data , we can take control of msg pointer which is used later in ip_append_data().
I've tested your PoC against the kernel with STACKLEAK. The msg pointer is now initialized with STACKLEAK_POISON (-0xBEEF), which points to the unused hole in the virtual memory map. So the access to msg->msg_iter gives the following: [ 8.806868] BUG: unable to handle kernel paging request at ffffffffffff4121 [ 8.807738] IP: csum_and_copy_from_iter_full+0x2d/0x400 [ 8.807738] PGD 220c067 P4D 220c067 PUD 220e067 PMD 0 [ 8.807738] Oops: 0000 [#1] SMP PTI [ 8.807738] Dumping ftrace buffer: [ 8.807738] (ftrace buffer empty) [ 8.807738] Modules linked in: [ 8.807738] CPU: 0 PID: 2893 Comm: poc Not tainted 4.16.0-rc1+ #4 [ 8.807738] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 8.807738] RIP: 0010:csum_and_copy_from_iter_full+0x2d/0x400 [ 8.807738] RSP: 0018:ffffc900015679c0 EFLAGS: 00010246 [ 8.807738] RAX: 0000000000000000 RBX: 0000000000006400 RCX: ffffffffffff4121 [ 8.807738] RDX: ffffc90001567a44 RSI: 0000000000006400 RDI: ffff88003d398024 [ 8.807738] RBP: ffffffffffff4111 R08: 0000000000000000 R09: ffff88003d0291c0 [ 8.807738] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 [ 8.807738] R13: ffffffffffff4121 R14: 0000000000006400 R15: ffff88003d2e6b10 [ 8.807738] FS: 00007f671dff4700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000 [ 8.807738] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.807738] CR2: ffffffffffff4121 CR3: 000000003e044000 CR4: 00000000000006f0 [ 8.807738] Call Trace: [ 8.807738] ? __kmalloc_reserve.isra.41+0x32/0x80 [ 8.807738] ip_generic_getfrag+0x84/0xc0 [ 8.807738] __ip_append_data.isra.48+0x69c/0x8a0 [ 8.807738] ? raw_destroy+0x20/0x20 [ 8.807738] ? raw_destroy+0x20/0x20 [ 8.807738] ip_append_data.part.50+0x6f/0xd0 [ 8.807738] raw_sendmsg+0x432/0xa30 [ 8.807738] ? _copy_from_user+0x44/0x70 [ 8.807738] ? rw_copy_check_uvector+0x5b/0x110 [ 8.807738] sock_sendmsg+0x37/0x40 [ 8.807738] ___sys_sendmsg+0x269/0x2c0 [ 8.807738] ? __sys_sendmsg+0x55/0x90 [ 8.807738] __sys_sendmsg+0x55/0x90 [ 8.807738] do_syscall_64+0x63/0x120 [ 8.807738] entry_SYSCALL_64_after_hwframe+0x21/0x86 [ 8.807738] RIP: 0033:0x7f6780c68e90 [ 8.807738] RSP: 002b:00007f671dff3f00 EFLAGS: 00000293 ORIG_RAX: 000000000000002e [ 8.807738] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6780c68e90 [ 8.807738] RDX: 0000000000000000 RSI: 0000000001ec6010 RDI: 0000000000000003 [ 8.807738] RBP: 0000000001ec6010 R08: 0000000000000000 R09: 00007f671dff4700 [ 8.807738] R10: 00007f671dff3f40 R11: 0000000000000293 R12: 0000000000000000 [ 8.807738] R13: 00007ffcbe8d1c9f R14: 0000000000000000 R15: 00007f6781099040 [ 8.807738] Code: 41 56 49 89 f6 41 55 41 54 49 89 cd 55 53 48 83 ec 48 65 48 8b 04 25 28 00 00 00 48 89 44 24 40 31 c0 48 89 7c 24 08 48 89 14 24 <41> 8b 45 00 a8 08 0f 85 58 01 00 00 4d 39 75 10 72 79 48 8b 3c [ 8.807738] RIP: csum_and_copy_from_iter_full+0x2d/0x400 RSP: ffffc900015679c0 [ 8.807738] CR2: ffffffffffff4121 [ 8.807738] ---[ end trace d60ea40e033c90b3 ]--- Do you think the attacker is able to bypass it? Thanks a lot again! Best regards, Alexander
Current thread:
- Re: CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition Alexander Popov (Feb 20)
- Re: CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition Mohamed Ghannam (Feb 20)