oss-sec mailing list archives
Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Thu, 26 Aug 2021 23:18:53 +0800
No, I didn't. I have reported to Red Hat, they said that if they confirmed and would assign a CVE for this issue. Regards, butt3rflyh4ck. On Thu, Aug 26, 2021 at 10:41 PM John Haxby <john.haxby () oracle com> wrote:
On 25 Aug 2021, at 03:40, butt3rflyh4ck <butterflyhuangxx () gmail com> wrote: Hi, There was another out-of-bound read bug in qrtr_endpoint_post in net/qrtr/qrtr.c in 5.14.0-rc6+ and reproduced it. This check in qrtr_endpoint_post was incomplete, did not consider size is 0: ``` if (len != ALIGN(size, 4) + hdrlen) goto err; ``` if size from qrtr_hdr is 0, the result of ALIGN(size, 4) will be 0, In case of len == hdrlen and size == 0 in header this check won't fail and ``` if (cb->type == QRTR_TYPE_NEW_SERVER) { /* Remote node endpoint can bridge other distant nodes */ const struct qrtr_ctrl_pkt *pkt = data + hdrlen; qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); } ``` will also read out of bound from data, which is hdrlen allocated block. #analyze and some details https://lists.openwall.net/netdev/2021/08/17/124 #patch https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e78c597c3eb now not available upstream.Hi, Did you ask for a CVE for this bug? jch#Timeline *2021/8/17 - Vulnerability reported to netdev () vger kernel org. *2021/8/20 - Vulnerability confirmed and patched. *2021/8/23 - Vulnerability reported to secalert () redhat com. *2021/8/25 - Opened on oss-security () lists openwall com. #Credit Active Defense Lab of Venustech. Regards, butt3rflyh4ck. -- Active Defense Lab of Venustech
-- Active Defense Lab of Venustech
Current thread:
- Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck (Aug 25)
- Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c John Haxby (Aug 26)
- Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck (Aug 26)
- Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck (Aug 27)
- Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck (Aug 27)
- Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c John Haxby (Aug 26)