oss-sec mailing list archives
Re: Type Confusion in Linux Kernel
From: John Helmert III <ajak () gentoo org>
Date: Tue, 10 Jan 2023 08:03:44 -0600
On Mon, Jan 09, 2023 at 03:09:22PM -0700, Kyle Zeng wrote:
Hi there, I recently found a type-confusion vulnerability in the Linux kernel. Since it interprets random data as pointers, it is potentially exploitable. According to the fix commit, this bug was introduced in Linux-2.6.12-rc2 in 2005. I already contacted security () kernel org and helped them patch the vulnerability. # Vulnerability The vulnerability is caused by accessing classification results before checking the classification return code in the network scheduler's code. For example, in the following snippet from `cbq_classify`: ~~~ struct cbq_class *cl; ...... result = tcf_classify(skb, fl, &res, true); if (!fl || result < 0) goto fallback; cl = (void *)res.class; ~~~ It checks `result < 0` before casting `res.class` to `struct cbq_class *`. However, `result >= 0` does not ensure `res.class` contains valid results. Specifically, it is possible `result` itself says the packet is invalid and should be dropped (`TC_ACT_SHOT`) while at the same time res.class contains invalid data because res.class is a huge union attribute and can be used for other purposes before it is marked as `TC_ACT_SHOT`. As a result, it is a type confusion between `struct cbq_class` and whatever struct that res.class was used as before it is returned. # Patch Two schedulers have the same vulnerable code patterns and the fixes can be found https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12 and https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a2965c7be0522eaa18808684b7b82b248515511b This vulnerability does not have a CVE assigned. I'll appreciate it if anyone on the mailing list can give it a CVE to signify its security implications.
You haven't really elaborated on the security implications, but you can request a CVE at cveform.mitre.org I guess. MITRE tends to be prickley regarding kernel issues, though.
Best, Kyle Zeng
Attachment:
signature.asc
Description:
Current thread:
- Type Confusion in Linux Kernel Kyle Zeng (Jan 10)
- Re: Type Confusion in Linux Kernel John Helmert III (Jan 10)
- Re: Type Confusion in Linux Kernel Kyle Zeng (Jan 10)
- Re: Type Confusion in Linux Kernel John Helmert III (Jan 10)