[v2.7] XADV-2013008 Linux Kernel 3.11.7 <= sk_attach_filter Kernel Heap Corruption
Vulnerable versions:
- linux kernel 3.11.7 <=
Testbed: ubuntu
Type: Local
Impact: Medium
Vendor: http://www.kernel.org
Author: x90c <geinblues nospam gmail dot com> Site: x90c.org
ABSTRACT:
=The Linux Socket Filtering is derived from the Berkeley Packet Filter.
There are some distinct differences between the BSD and Linux Kernel
Filtering.
Linux Socket Filtering (LSF) allows a user-space program to attach a
filter onto any socket and allow or disallow certain types of data to
come through the socket. LSF follows exactly the same filter code
structure
as the BSD Berkeley Packet Filter (BPF).
The linux kernel has a vulnerability to lead the kernel panic via an
Integer overflow, It occured at sk_attach_filter() in
/net/core/filter.c
the sk_attach_filter.
- References:
[1] https://www.kernel.org/doc/Documentation/networking/filter.txt
[2] http://www.cs.columbia.edu/~nahum/w6998/lectures/vpk-columbia-nsdi-lsf.pdf
DETAILS:
=[~/linux-3.11.7/net/core/filter.c]
——
int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
{
struct sk_filter *fp, *old_fp;
// XXX user controllable fprog->len, stored count of filter to
attach.
unsigned int fsize = sizeof(struct sock_filter) * fprog->len;
int err;
if (sock_flag(sk, SOCK_FILTER_LOCKED))
return -EPERM;
/* Make sure new filter is there and in the right amounts. */
if (fprog->filter == NULL)
return -EINVAL;
// XXX Integer overflow (+ sizeof(*fp)) and causing a little
allocation.
fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL);
if (!fp)
return -ENOMEM;
// XXX kernel heap corruption occured with fsize with larger value.
if (copy_from_user(fpinsns,
fprog>filter, fsize)) {
sock_kfree_s(sk, fp, fsize+sizeof(*fp));
(from redmine: issue id 2384, created on 2013-11-21, closed on 2014-04-17)
- Relations:
- parent #2380 (closed)