[UNIX] Linux Kernel Vmsplice Unchecked User-Pointer Dereference
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Feb 2008 09:22:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Kernel Vmsplice Unchecked User-Pointer Dereference
------------------------------------------------------------------------
SUMMARY
A new vmsplice() system call was introduced in the 2.6.17 release of the
Linux kernel. In the 2.6.23 kernel the system call functionality has been
further extended resulting in two new critical vulnerabilities.
DETAILS
Vulnerable Systems:
* Linux version 2.6.23
* Linux version 2.6.24
Vulnerability #1
Inappropriate dereference of user-supplied memory pointers in the code
beginning at line 1378 in the vmsplice_to_user() kernel
function (fs/splice.c):
---8<--- fs/splice.c:1378 ---8<---
error = get_user(base, &iov->iov_base);
/* ... */
if (unlikely(!base)) {
error = -EFAULT;
break;
}
/* ... */
sd.u.userptr = base;
/* ... */
size = __splice_from_pipe(pipe, &sd, pipe_to_user);
---8<--- fs/splice.c:1401 ---8<---
The code lacks validation of these pointers (i.e. with access_ok()). The
__splice_from_pipe() assumes these are valid user-memory pointers and
never makes any verification of them. The function dereferences the
pointers with __copy_to_user_inatomic() function (in pipe_to_user()) in
order to write data to user-process memory in this case leading to
possibility of arbitrary data (read from pipe) to arbitrary kernel memory.
Vulnerability #2
The copy_from_user_mmap_sem() function copies data from user-process
memory with the use of __copy_from_user_inatomic() without validating
user-supplied pointer with access_ok():
---8<--- fs/splice.c:1188 ---8<---
partial = __copy_from_user_inatomic(dst, src, n);
---8<--- fs/splice.c:1188 ---8<---
This vulnerability leads to indirect reading of arbitrary kernel memory.
Impact:
Vulnerabilities may lead to local system compromise including execution of
arbitrary machine code in the context of running kernel.
Vulnerability #1 has been successfully exploited on Linux 2.6.24.
Vulnerability #2 not tested.
Disclosure Timeline:
1st Feb 2008 - Vendor notification
8th Feb 2008 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:cliph@xxxxxxxxxxxxxxxxxxxx>
Wojciech Purczynski.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Adobe Flash Media Server 2 Memory Corruption Vulnerability
- Next by Date: [NEWS] ClamAV libclamav PE File Integer Overflow Vulnerability
- Previous by thread: [NT] Adobe Flash Media Server 2 Memory Corruption Vulnerability
- Next by thread: [NEWS] ClamAV libclamav PE File Integer Overflow Vulnerability
- Index(es):
Relevant Pages
|
