Full Disclosure mailing list archives
popo2, kernel/tun driver bufferoverflow.
From: KJ Jung <x90cx90c1 () gmail com>
Date: Mon, 14 Jun 2021 07:24:15 +0900
Linux kernel 5.4 version. latest. __tun_chr_ioctl function of ~/drivers/net/tun.c has a stack buffer overflow vulnerability. it get's arg, ifreq_len, and copy the arg(argp) to ifr(ifreq struct) and this steps are no bounds-checking. if cmd == TUNSETIFF or TUNSETQUEUE or and so on condition then it's enter copy_from_user function area. -- 3352static long tun_chr_ioctl(struct file *file, 3353 unsigned int cmd, unsigned long arg) 3354{ 3355 return __tun_chr_ioctl(file, cmd, arg, sizeof (struct ifreq)); 3356} 3475static const struct file_operations tun_fops = { 3476 .owner = THIS_MODULE, 3477 .llseek = no_llseek, 3478 .read_iter = tun_chr_read_iter, 3479 .write_iter = tun_chr_write_iter, 3480 .poll = tun_chr_poll, 3481 .unlocked_ioctl = tun_chr_ioctl, -- https://lxr.missinglinkelectronics.com/linux/drivers/net/tun.c 3025static long __tun_chr_ioctl(struct file *file, unsigned int cmd, 3026 unsigned long arg, int ifreq_len) 3027{ 3028 struct tun_file *tfile = file->private_data; 3029 struct net *net = sock_net(&tfile->sk); 3030 struct tun_struct *tun; 3031 void __user* argp = (void __user*)arg; 3032 unsigned int ifindex, carrier; 3033 struct ifreq ifr; 3034 kuid_t owner; 3035 kgid_t group; 3036 int sndbuf; 3037 int vnet_hdr_sz; 3038 int le; 3039 int ret; 3040 bool do_notify = false; 3041 3042 if (cmd == TUNSETIFF || cmd == TUNSETQUEUE | 3043 (_IOC_TYPE(cmd) == SOCK_IOC_TYPE && cmd != SIOCGSKNS)) { // x90:: vulnerable point:: 3044 if (copy_from_user(&ifr, argp, ifreq_len)) // bug. 3045 return -EFAULT; 3046 } else { 3047 memset(&ifr, 0, sizeof(ifr)); 3048 } -- -author: x90 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- popo2, kernel/tun driver bufferoverflow. KJ Jung (Jun 15)
- Re: popo/popo2 linux kernel vulns RaziREKT via Fulldisclosure (Jun 18)
- Re: popo2, kernel/tun driver bufferoverflow. Robert Święcki (Jun 18)