Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

[butt3rflyh4ck <butterflyhuangxx () gmail com>]

The patch is available upstream.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e78c597c3ebfd0cb329aa09a838734147e4f117

Regards,
 butt3rflyh4ck.


On Wed, Aug 25, 2021 at 10:40 AM butt3rflyh4ck
<butterflyhuangxx () gmail com> wrote:
> Hi, There was another out-of-bound read bug in qrtr_endpoint_post in
> net/qrtr/qrtr.c in 5.14.0-rc6+ and reproduced it.
>
> This check in  qrtr_endpoint_post was incomplete, did not consider size is 0:
> ```
> if (len != ALIGN(size, 4) + hdrlen)
>                 goto err;
> ```
> if size from qrtr_hdr is 0, the result of ALIGN(size, 4) will be 0,
> In case of len == hdrlen and size == 0 in header this check won't fail and
> ```
>  if (cb->type == QRTR_TYPE_NEW_SERVER) { /* Remote node endpoint can
> bridge other distant nodes */
>              const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
>              qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
>  }
> ```
> will also read out of bound from data, which is hdrlen allocated block.
>
>
> #analyze and some details
> https://lists.openwall.net/netdev/2021/08/17/124
>
> #patch
> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e78c597c3eb
> now not available upstream.
>
> #Timeline
> *2021/8/17 - Vulnerability reported to netdev () vger kernel org.
> *2021/8/20 - Vulnerability confirmed and patched.
> *2021/8/23 - Vulnerability reported to secalert () redhat com.
> *2021/8/25 - Opened on oss-security () lists openwall com.
>
> #Credit
> Active Defense Lab of Venustech.
>
>
> Regards,
>  butt3rflyh4ck.
>
> --
> Active Defense Lab of Venustech



-- 
Active Defense Lab of Venustech