oss-sec mailing list archives
Re: Linux kernel: isdn: cpai: array-index-out-of-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c
From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Fri, 5 Nov 2021 23:11:42 +0800
Hi, the Mitre has assigned CVE-2021-43389 to this issue. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43389 Regards, butt3rflyh4ck. On Tue, Oct 19, 2021 at 11:21 PM butt3rflyh4ck <butterflyhuangxx () gmail com> wrote:
Hi, there is an array-index-out-bounds bug in detach_capi_ctr in drivers/isdn/capi/kcapi.c and I reproduce it on 5.15.0-rc2+. #Root Cause we can call CMTPCONNADD ioctl and it would invoke do_cmtp_sock_ioctl(), it would call cmtp_add_connection(). The chain of call is as follows. ioctl(CMTPCONNADD) ->cmtp_sock_ioctl() -->do_cmtp_sock_ioctl() --->cmtp_add_connection() ---->kthread_run() ---->cmtp_attach_device() the function would add a cmtp session to a controller. The cmtp_add_connection() would add a cmtp session to a controller and run a kernel thread to process cmtp. __module_get(THIS_MODULE); session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d", session->num); During this process, the kernel thread would call detach_capi_ctr() to detach a register controller. if the controller was not attached yet, detach_capi_ctr() would trigger an array-index-out-bounds bug. #analyze https://lore.kernel.org/netdev/CAFcO6XOvGQrRTaTkaJ0p3zR7y7nrAWD79r48=L_BbOyrK9X-vA () mail gmail com/ #patch The patch is available upstream now. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f3e2e97c003f80c4b087092b225c8787ff91e4d #Timeline *2021/9/24 - Vulnerability reported to netdev () vger kernel org. *2021/9/24 - Vulnerability confirmed. *2021/10/8 - Vulnerability patched. *2021/10/9 - Vulnerability reported to secalert () redhat com and confirmed *2021/10/19 - Opened on oss-security () lists openwall com. #Credit Active Defense Lab of Venustech. Regards, butt3rflyh4ck. -- Active Defense Lab of Venustech
-- Active Defense Lab of Venustech
Current thread:
- Linux kernel: isdn: cpai: array-index-out-of-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c butt3rflyh4ck (Oct 19)
- Re: Linux kernel: isdn: cpai: array-index-out-of-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c butt3rflyh4ck (Nov 05)