Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20231105172713.GA21489@openwall.com>
Date: Sun, 5 Nov 2023 18:27:13 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Pietro Borrello <borrello@...g.uniroma1.it>
Subject: CVE-2023-1078: Linux: rds_rm_zerocopy_callback() bugs

Hi,

There was a thread on linux-distros in February, where Pietro brought up
multiple Linux kernel issues at once.  Some of these were already on
oss-security by the time (as indicated below), four others were brought
to oss-security on March 1st:

https://www.openwall.com/lists/oss-security/2023/03/01/

However, it looks like one CVE corresponding to two bugs was not, so I
am correcting this now.  The missed CVE was assigned as follows:

> CVE-2023-1078 - Heap OOB Write in rds_rm_zerocopy_callback()
> patch:
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f753a68980cf4b59a80fe677619da2b1804f526d
> 
> CVE-2023-1078 - Resource leak (leading to memory exhaustion) in rds_rm_zerocopy_callback()
> patch:
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=68762148d1b011d47bc2ceed7321739b5aea1e63

Ubuntu security advisories describe it as:

> It was discovered that the Reliable Datagram Sockets (RDS) protocol
> implementation in the Linux kernel contained a type confusion vulnerability
> in some situations. An attacker could use this to cause a denial of service
> (system crash). (CVE-2023-1078)

You can see Pietro's own more detailed descriptions of the two bugs by
searching the message below for mentions of rds_rm_zerocopy_callback().

Alexander

----- Forwarded message from Pietro Borrello <borrello@...g.uniroma1.it> -----

From: Pietro Borrello <borrello@...g.uniroma1.it>
Subject: Re: [vs-plain] CVE Request
CC: linux-distros
Date: Wed, 22 Feb 2023 20:13:29 +0100

Attached the more detailed report.

- Type Confusion in hid_validate_values()
patch: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b12fece4c64857e5fab4290bf01b2e0317a88456
oss-security: https://www.openwall.com/lists/oss-security/2023/01/17/3
attack-type: physical
impact: memory corruption -> privilege escalation
details: hid_validate_values fails to properly check the shape of USB
reports, causing type confusion if a malicious device advertises
invalid reports. On default configuration the type confusion results
in the function failing due to field alignment, but any non-default
configuration including structure layout randomization or having
different struct field layout would incur in memory corruption.

- Type Confusion in bigben_probe()
patch: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=c7bf714f875531f227f2ef1fdcc8f4d44e7c7d9d
oss-security: https://www.openwall.com/lists/oss-security/2023/01/17/3
attack-type: physical
impact: memory corruption -> privilege escalation
details: bigben_probe() fails to properly check the shape of USB
reports, causing type confusion if a malicious device advertises
invalid reports. On default configuration the type confusion results
in the function failing due to field alignment, but any non-default
configuration including structure layout randomization or having
different struct field layout would incur in memory corruption.

- NULL Ptr Deref in hid_betopff_play()
patch: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=3782c0d6edf658b71354a64d60aa7a296188fc90
oss-security: https://www.openwall.com/lists/oss-security/2023/01/18/3
attack-type: physical
impact: DOS/privilege escalation
details: betopff_init does not properly check the shape of USB report,
causing a NULL ptr dereference in hid_betopff_play() on default
configuration. NULL pointer dereferences may be exploited to achieve
LPE (e.g., see https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html).
On non default configuration, as the NULL deref is caused by a type
confusion, a different field layout may cause further memory
corruption.

- KASLR Leak in inet_diag_msg_sctpasoc_fill()
patch: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=458e279f861d3f61796894cd158b780765a1569f
oss-security: https://www.openwall.com/lists/oss-security/2023/01/23/1
attack-type: local
impact: information disclosure
details: a type confusion in inet_diag_msg_sctpasoc_fill() in
net/sctp/diag.c, uses a type confused pointer to return information to
userspace when issuing a list_entry() on
asoc->base.bind_addr.address_list.next when the list is empty.
The impact of the type confusion is a KASLR leak since the
`laddr.v6.sin6_addr` is returned from the type confused pointer, which
overlaps with `struct sctp_endpoint *ep` of the `struct
sctp_association`.

- Type Confusion in tls_is_tx_ready()
patch: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ffe2a22562444720b05bdfeb999c03e810d84cbb
attack-type: local
impact: information disclosure
details: tls_is_tx_ready() incorrectly checks for list emptyness,
potentially accessing a type confused entry to the list_head, leaking
the last byte of the confused field that overlaps with rec->tx_ready.

- Incorrect UID assigned to tun/tap sockets
patch (tap): https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=66b2c338adce580dfce2199591e65e2bab889cff
patch (tun): https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=a096ccca6e503a5c575717ff8a36ace27510ab0a
attack-type: local
impact: filtering/routing bypass for virtual sockets
details: tun/tap sockets have their socket UID hardcoded to 0 due to a
type confusion in their initialization function.
While it will be often correct, as tuntap devices require
CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user
only having that capability. This would make tun/tap sockets being
incorrectly treated in filtering/routing decisions, possibly bypassing
network filters.

- Type confusion in pick_next_rt_entity()
patch: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=7c4a5b89a0b5a57a64b601775b296abf77a9fe97
attack-type: local
impact: memory corruption -> privilege escalation
details: pick_next_rt_entity() may return a type confused entry, not
detected by the BUG_ON condition, as the confused entry will not be
NULL, but list_head.
The buggy error condition would lead to a type confused entry with the
list head, which would then be used as a type confused
sched_rt_entity, causing memory corruption.

- Heap OOB Write in rds_rm_zerocopy_callback()
patch: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f753a68980cf4b59a80fe677619da2b1804f526d
attack-type: local
impact: memory corruption -> privilege escalation
details: The rds_rm_zerocopy_callback() issues a list_entry() on the
actual head of a list, instead of calling list_first_entry(). This
causes a type confusion and the `struct rds_msg_zcopy_info *info`
actually points to `&q->zcookie_head`.
In rds_zcookie_add(), `info->zcookies` is used, which if type confused
overlaps with `spinlock_t lock` in `struct rds_msg_zcopy_queue`. The
function writes `cookie`, which is completely controlled by userspace,
to `ck->cookies[ncookies]`.
`ncookies` is read from `ck->num` which overlaps with the `lock`
counter, and is then incremented, also corrupting the `lock`.
This effectively results in a controlled OOB write from `struct
rds_msg_zcopy_queue` embedded at the end of `struct rds_sock`.
The value is completely controlled, while the index depends on the
`lock` state, being 1 by default, which I suspect can be controlled
too.

- Type Confusion in sctp_sock_filter()
*removed from the request as not security relevant in default configurations*

- Resource leak (leading to memory exhaustion) in rds_rm_zerocopy_callback()
patch: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=68762148d1b011d47bc2ceed7321739b5aea1e63
attack-type: local
impact: DOS
details: rds_rm_zerocopy_callback() uses list_add_tail() with swapped
arguments. This links the list head with the new entry, losing the
references to the remaining part of the list, and causing the resource
leak of the allocated entries. Repeating the leak may cause resource
exhaustion.


- Use After Free in asus_remove()
patch: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=4ab3a086d10eeec1424f2e8a968827a6336203df
attack-type: physical
impact: memory corruption -> privilege escalation
details: Similarly to CVE-2023-25012 , in asus devices, the
work_struct may be scheduled by the LED controller while the device is
disconnecting, triggering a use-after-free on the struct asus_kbd_leds
*led structure. A malicious USB device may exploit the issue to cause
memory corruption with controlled data.

- Heap OOB Write in bigben_worker()
patch: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b94335f899542a0da5fafc38af8edcaf90195843
attack-type: local
impact: memory corruption -> privilege escalation
details: bigben_probe() does not validate that the output report has
the needed report values in the first field. A malicious device
registering a report with one field and a single value causes an heap
OOB write in bigben_worker() when accessing report_field->value[1] to
report_field->value[7], with partially user-controlled values.


Best regards,
Pietro Borrello

----- End forwarded message -----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.