xawtv: CVE-2020-13696: v4l-conf setuid-root program allows file existence tests and open(..., O_RDRW) on arbitrary files

[Matthias Gerstner <mgerstner () suse de>]

Hallo,

xawtv [1] contains a setuid-root program called `v4l-conf` that is
supposed to allow regular users to configure v4l devices. xawtv is
pretty old code but it is stilled shipped on some distributions like
Debian and openSUSE.

Vulnerability Description
=========================

While checking the source code of `v4l-conf` I noticed that it allows
regular users to perform arbitrary file existence tests and also to
perform `open(..., O_RDWR)` and `fstat()` system calls on arbitrary
files. The issue is found in the `dev_open()` function which only
contains a naive security check:

```
    if (strncmp(device, "/dev/", 5)) {
        fprintf(stderr, "error: %s is not a /dev file\n", device);
        exit(1);
    }
```

This check is not safe against relative path components or symlinks in
/dev/shm. Example:

```
# in this case the file does not exist
user $ v4l-conf -c /dev/../root/.bashrc
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
can't open /dev/../root/.bashrc: No such file or directory

# in this case the file exists
user $ v4l-conf -c /dev/../root/.bash_history
VT_GETSTATE is not supported: Inappropriate ioctl for device
mode: 0x0, depth=0, bpp=0, bpl=0, base=unknown
/dev/../root/.bash_history: wrong device
```

Some devices in /dev might also trigger code paths upon open() in the
kernel that are usually not reachable to regular users.

Bugfix
======

Upstream added two fixes in their Git repository [2]:

- commit 31f31f9cbaee7be806cba38e0ff5431bd44b20a3
- commit 36dc44e68e5886339b4a0fbe3f404fb1a4fd2292

The fix is still incomplete though. It avoids to perform an `open()` on
unintended files. But it still allows the file existence test to be
performed. Attached is a small patch that fixes also that.

Timeline
========

2020-05-14: I privately reported the finding to
            mchehab+samsung () kernel org, one of the xawtv maintainers
            denoted in [3].
2020-05-14 - 2020-05-29: various discussions with the maintainer about
            the fix. He published the partial fixes in the Git
            repository right away.
2020-05-29  I reported to the maintainer that the fix is still
            incomplete but did not hear back since then.
2020-05-29  I requested and obtained a CVE from Mitre for this issue.

[1]: https://www.linuxtv.org/wiki/index.php/Xawtv
[2]: https://git.linuxtv.org/xawtv3.git
[3]: https://www.linuxtv.org/wiki/index.php/Media_Maintainers#XawTV

Cheers

Matthias

-- 
Matthias Gerstner <matthias.gerstner () suse de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Felix Imendörffer

Attachment: 0001-v4l-conf-use-the-same-error-messages-for-stat-and-ty.patch
Description:

Attachment: signature.asc
Description: