oss-sec mailing list archives
CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition
From: Mohamed Ghannam <simo.ghannam () gmail com>
Date: Sat, 16 Dec 2017 00:29:09 +0000
Hi, This is an announcement for CVE-2017-17712 which is a race condition leads to uninitialized stack variable, this might be used to gain code execution. The bug was introduced here : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c008ba5bdc9fa830e1a349b20b0be5a137bdef7a And fixed here : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 ####### BUG DETAILS ############ in net/ipv4/raw.c: static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) { ... struct raw_frag_vec rfv; [1] ... ... if (!inet->hdrincl) { [2] rfv.msg = msg; rfv.hlen = 0; err = raw_probe_proto_opt(&rfv, &fl4); if (err) goto done; } ... ... if (inet->hdrincl) [3] err = raw_send_hdrinc(sk, &fl4, msg, len, &rt, msg->msg_flags, &ipc.sockc); else { sock_tx_timestamp(sk, ipc.sockc.tsflags, &ipc.tx_flags); if (!ipc.addr) ipc.addr = fl4.daddr; lock_sock(sk); err = ip_append_data(sk, &fl4, raw_getfrag, &rfv, len, 0, [4] &ipc, &rt, msg->msg_flags); ... } [1] rfv is not initialized and contains a pointer to a msghdr header structure. [2], [3] There are multiple checks against inet->hdrincl without a lock. When we achieve (by racing inet->hdrincl via setsockopt()) inet->hdrincl=1 in [1], and inet->hdrincl=0 in [2], rfv variable remains uninitialized and used in [4]. By spraying the stack with controlled user data , we can take control of msg pointer which is used later in ip_append_data(). In attachment : poc.c + kernel panic log ####### CREDITS ############ Mohamed GHANNAM
Attachment:
panic.log
Description:
Attachment:
poc.c
Description:
Current thread:
- CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition Mohamed Ghannam (Dec 15)