[UNIX] Linux Kernel IEEE1394 (Firewire) Driver Integer Overflow Vulnerabilities

• Previous message: SecuriTeam: "[REVS] Removing about:blank Homepage Hijacker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 24 Jun 2004 15:38:53 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Linux Kernel IEEE1394 (Firewire) Driver Integer Overflow Vulnerabilities
------------------------------------------------------------------------

SUMMARY

IEEE 1394 is a standard for high speed serial bus. This bus is also named
FireWire by Apple or i.Link by Sony. The driver for this technology is
included in all standard Linux distributions.

There are several integer overflows in the memory allocation scheme of the
IEEE1394 driver. A request structure that is copied into kernel memory and
contains a length field which is not properly handled is the cause of the
vulnerability. Local DoS and possible code execution can be caused by
exploiting this vulnerability.

DETAILS

Vulnerable Systems:
 * Linux kernel IEEE 1394 driver versions 2.4 and 2.6

When the write() method of the driver is called, data is copied from
user-space into kernel-space. A request structure is contained within the
buffer copied which has a length field that is not properly validated
before used in memory allocation. Specifically, the length field is added
to another member and there is no overflow check after the addition
operation. The problematic piece of code lies in the alloc_hpsb_packet()
function.

There are more than a few code locations which call the problematic piece
of code. Some are outlined below:

 * Version 2.4:
   raw1394_write() -- raw1394.c:852
   state_connected() -- raw1394.c:806
   handle_remote_request() -- raw1394.c:658
   hpsb_make_writebpacket() -- ieee1394_transactions.c:357
   alloc_hpsb_packet() -- ieee1394_core.c:114

 * Version 2.6:
  raw1394_write() -- raw1394.c:2149
  state_connected() -- raw1394.c:2061
  handle_async_request() -- raw1394.c:620
  hpsb_make_writepacket() -- ieee1394_transactions.c:291
  alloc_hpsb_packet() -- ieee1394_core.c:123

Depending on the state of the connection and the type of request,
eventually the problematic code might get executed. An excerpt from the
2.4 version of the driver code is shown below:
--------------------------------- Begin Code
---------------------------------
        // data_size is size_t passed from user-supplied request structure
        data = kmalloc(data_size + 8, kmflags);
        if (data == NULL) {
                    kmem_cache_free(hpsb_packet_cache, packet);
            return NULL;
        }
        packet->data = data;
        packet->data_size = data_size;
---------------------------------- End Code
----------------------------------

And in the handle_remote_request() function:
--------------------------------- Begin Code
---------------------------------
 // req->req.length was the same value used above to size the buffer
 if (copy_from_user(packet->data, int2ptr(req->req.sendb),
req->req.length)) {
       req->req.error = RAW1394_ERROR_MEMFAULT;
    }
---------------------------------- End Code
----------------------------------

The result is a possible copying of gigabytes of data into a small buffer.
Naturally that will cause the system to crash. It might also be possible
to use this as a means to execute code if the buffer lingers on in memory.
That would mean code execution would still be possible with kernel
privileges, though unlikely.

ADDITIONAL INFORMATION

The information has been provided by <mailto:infamous41md@hotpop.com>
Sean.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[REVS] Removing about:blank Homepage Hijacker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]