oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux kernel: isdn: cpai: array-index-out-of-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c

From: butt3rflyh4ck <butterflyhuangxx () gmail com>
Date: Fri, 5 Nov 2021 23:11:42 +0800
Hi, the Mitre has assigned CVE-2021-43389 to this issue.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43389

Regards,
  butt3rflyh4ck.


On Tue, Oct 19, 2021 at 11:21 PM butt3rflyh4ck
<butterflyhuangxx () gmail com> wrote:


Hi, there is an array-index-out-bounds bug in detach_capi_ctr in
drivers/isdn/capi/kcapi.c and I reproduce it on 5.15.0-rc2+.

#Root Cause
we can call CMTPCONNADD ioctl and it would invoke
do_cmtp_sock_ioctl(), it would call cmtp_add_connection().
The chain of call is as follows.
ioctl(CMTPCONNADD)
   ->cmtp_sock_ioctl()
         -->do_cmtp_sock_ioctl()
            --->cmtp_add_connection()
                ---->kthread_run()
                ---->cmtp_attach_device()
the function would add a cmtp session to a controller.

The cmtp_add_connection() would add a cmtp session to a controller
and run a kernel thread to process cmtp.

        __module_get(THIS_MODULE);
        session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d",
                                                                session->num);

During this process, the kernel thread would call detach_capi_ctr()
to detach a register controller. if the controller
was not attached yet, detach_capi_ctr() would
trigger an array-index-out-bounds bug.


#analyze
https://lore.kernel.org/netdev/CAFcO6XOvGQrRTaTkaJ0p3zR7y7nrAWD79r48=L_BbOyrK9X-vA () mail gmail com/

#patch
The patch is available upstream now.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f3e2e97c003f80c4b087092b225c8787ff91e4d

#Timeline
*2021/9/24 - Vulnerability reported to netdev () vger kernel org.
*2021/9/24 - Vulnerability confirmed.
*2021/10/8 - Vulnerability patched.
*2021/10/9 - Vulnerability reported to secalert () redhat com and confirmed
*2021/10/19 - Opened on oss-security () lists openwall com.

#Credit
Active Defense Lab of Venustech.


Regards,
 butt3rflyh4ck.

--
Active Defense Lab of Venustech




--
Active Defense Lab of Venustech
Previous By Date Next
Previous By Thread Next

Current thread: