oss-sec mailing list archives
Re: Linux Kernel: out of bounds array access in dm-ioctl.c
From: John Haxby <john.haxby () oracle com>
Date: Mon, 29 Mar 2021 12:57:46 +0000
On 28 Mar 2021, at 04:47, - Nop <nopitydays () gmail com> wrote: Hi, We found an out of bounds array accessing bug in drivers/md/dm-ioctl.c, and reproduced it in the latest kernel (v5.11.10). The root cause of this BUG is : The field "data_size" in function ctl_ioctl is fully controlled by users and this argument controls the size of kvmalloc in function copy_params. When the data_size is in a range of [0x131,0x138], the allocated memory which is pointed by the variable "param" used in ioctl "DM_LIST_DEVICES_CMD" is too small, causing an oob bug at line "nl->dev = 0; /* Flags no data */" ( https://github.com/torvalds/linux/blob/0d02ec6b3136c73c09e7859f0d0e4e2c4c07b49b/drivers/md/dm-ioctl.c#L538 )
DM_LIST_DEVICES_CMD, and in fact, any function called from ctl_ioctl is limited to users with CAP_SYS_ADMIN. Without that root-equivalent privilege I don't see any way to exploit this bug. Did you find a way to exploit it as an unprivileged user? jch
Attachments are the poc, kernel config and Kernel report. The patch: https://github.com/torvalds/linux/commit/4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a * Grab our output buffer. */ nl = orig_nl = get_result_buffer(param, param_size, &len); - if (len < needed) { + if (len < needed || len < sizeof(nl->dev)) { param->flags |= DM_BUFFER_FULL_FLAG; goto out; } Regards, Bodong Zhao of NISL lab, Tsinghua University
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- Linux Kernel: out of bounds array access in dm-ioctl.c - Nop (Mar 27)
- Re: Linux Kernel: out of bounds array access in dm-ioctl.c John Haxby (Mar 29)