oss-sec mailing list archives
CVE-2017-12153 Linux kernel: nl80211: null pointer dereference in nl80211_set_rekey_data()
From: Vladis Dronov <vdronov () redhat com>
Date: Wed, 13 Sep 2017 15:06:51 -0400 (EDT)
Heololo, A security flaw was discovered in nl80211_set_rekey_data() function in the Linux kernel since v3.1-rc1 through v4.13. This function does not check whether the required attributes are present in a netlink request. This request can be issued by a user with CAP_NET_ADMIN privilege and may result in NULL dereference and a system crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046 https://marc.info/?t=150525503100001&r=1&w=2 Suggested upstream patch: https://marc.info/?l=linux-wireless&m=150525493517953&w=2 Vulnerability surface: Further analysis showed that NL80211_CMD_SET_REKEY_OFFLOAD request should be issued for a WiFi interface connected to a wireless network. This mean that an attacker should be root already or should be root in a user+net namespace to which a WiFi interface was moved from a main net namespace. We believe the later configuration to be very unlikely. [NON-PRIVILEGED USER] $ /tmp/nl80211_rekey_poc NLMSG_ERROR: nerr=0x7ffe0f092eb0 err=-1 txt=Operation not permitted [ROOT IN USER+NET NAMESPACE] (WiFi interface is not present in it by default) $ unshare -U -r -n # ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 # /tmp/nl80211_rekey_poc NLMSG_ERROR: nerr=0x7ffe06d2a7b0 err=-19 txt=No such device [ROOT IN JUST A USER NAMESPACE] $ unshare -U -r # ip a 4: wlp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noop state UP link/ether a4:c4:94:31:44:76 brd ff:ff:ff:ff:ff:ff # /tmp/nl80211_rekey_poc NLMSG_ERROR: nerr=0x7ffeda640ca0 err=-1 txt=Operation not permitted [A REAL ROOT] # ./nl80211_rekey_poc [ 22.836967] BUG: unable to handle kernel NULL pointer dereference at (null) [ 22.838069] IP: nl80211_set_rekey_data+0xb2/0x1d0 [ 22.838659] PGD 1368c6067 [ 22.838660] P4D 1368c6067 [ 22.839082] PUD 138f31067 [ 22.839482] PMD 0 [ 22.840891] Oops: 0000 [#1] SMP [ 22.841769] Modules linked in: iwlmvm iwlwifi [ 22.842771] CPU: 3 PID: 2937 Comm: nl80211_rekey_poc Not tainted 4.13.0-rc7 #21 [ 22.843899] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-1.fc25 04/01/2014 [ 22.845470] task: ffff8fd9b98d44c0 task.stack: ffffafa800b7c000 [ 22.846480] RIP: 0010:nl80211_set_rekey_data+0xb2/0x1d0 [ 22.847403] RSP: 0018:ffffafa800b7fab8 EFLAGS: 00010296 [ 22.848320] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006 [ 22.849654] RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffff8fd9bfcccc90 [ 22.850820] RBP: ffffafa800b7fb18 R08: 000000000000020f R09: 0000000000000000 [ 22.851995] R10: ffff8fd9ba124000 R11: ffffffff8905fce0 R12: ffff8fd9b8d62000 [ 22.853143] R13: ffff8fd9b7d70000 R14: ffff8fd9b8d62850 R15: ffffffff89501e80 [ 22.854299] FS: 00007eff01bea740(0000) GS:ffff8fd9bfcc0000(0000) knlGS:0000000000000000 [ 22.856038] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.857033] CR2: 0000000000000000 CR3: 0000000138e14000 CR4: 00000000001406e0 [ 22.858184] Call Trace: [ 22.858788] ? printk+0x3e/0x46 [ 22.859463] genl_family_rcv_msg+0x378/0x3c0 [ 22.860302] genl_rcv_msg+0x47/0x90 [ 22.861032] ? genl_family_rcv_msg+0x3c0/0x3c0 [ 22.861860] netlink_rcv_skb+0x7a/0x100 [ 22.862613] genl_rcv+0x23/0x40 [ 22.863281] netlink_unicast+0x164/0x200 [ 22.864047] netlink_sendmsg+0x28e/0x380 [ 22.864812] sock_sendmsg+0x33/0x40 [ 22.865516] ___sys_sendmsg+0x251/0x2a0 [ 22.867221] ? remove_wait_queue+0x48/0x50 [ 22.868264] ? __wake_up+0x3f/0x50 [ 22.869173] ? tty_write_unlock+0x2c/0x30 [ 22.870159] ? tty_ldisc_deref+0x11/0x20 [ 22.871136] ? process_echoes+0x60/0x60 [ 22.872084] __sys_sendmsg+0x40/0x70 [ 22.873067] ? __sys_sendmsg+0x40/0x70 [ 22.874096] SyS_sendmsg+0xd/0x20 [ 22.874889] entry_SYSCALL_64_fastpath+0x1a/0xa5 [ 22.875736] RIP: 0033:0x7eff01707547 [ 22.876457] RSP: 002b:00007fff7efa6e28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 22.877901] RAX: ffffffffffffffda RBX: 00000000004008e6 RCX: 00007eff01707547 [ 22.879056] RDX: 0000000000000000 RSI: 00007fff7efa6e50 RDI: 0000000000000003 [ 22.880190] RBP: 00007fff7efa6d40 R08: 0000000000000000 R09: 0000000000000000 [ 22.881484] R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff7efa6d50 [ 22.882710] R13: 0000000000000003 R14: 00007eff019ce700 R15: 0000000000000064 [ 22.883885] Code: e9 04 e8 22 b6 aa ff 48 c7 c7 d8 79 2b 89 89 c3 89 c6 e8 4e [ 22.886961] RIP: nl80211_set_rekey_data+0xb2/0x1d0 RSP: ffffafa800b7fab8 [ 22.888054] CR2: 0000000000000000 [ 22.888888] ---[ end trace 8c1ee6a48df7edf4 ]--- Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- CVE-2017-12153 Linux kernel: nl80211: null pointer dereference in nl80211_set_rekey_data() Vladis Dronov (Sep 13)