[PATCH] nvram: Fix root triggerable integer overflow crash

[PATCH] nvram: Fix root triggerable integer overflow crash

[Michael Buesch]

The following patch fixes a root triggerable integer overflow based kernel crash.

The nvram_write() file operation subtracts the loff_t file offset from NVRAM_BYTES
without checks. This might result in an overflow of the integer. That value
is used for bounds checking of the "count", which is the buffer size to be copied
from userspace to the kernel stack.
So root can render the "count" check useless by overflowing the loff_t offset (which is "i").
copy_from_user() will then copy arbitrary amounts of memory to the kernel stack.


The userspace program to crash the kernel is as follows:
(Be careful when running the testcase. It might trash your NVRAM)

#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>


#define NVRAM_BYTES	128

int main(void)
{
	ssize_t res;
	int fd;
	char *buf;
	unsigned int bufsize;

	fd = open("/dev/nvram", O_RDWR);
	if (fd < 0) {
		printf("Could not open nvram device\n");
		return 1;
	}
	bufsize = NVRAM_BYTES + 100;
	buf = malloc(bufsize);
	if (!buf) {
		printf("Out of memory\n");
		return 1;
	}
	memset(buf, 0, bufsize);
	res = pwrite(fd, buf, bufsize, NVRAM_BYTES + 1);
	if (res == bufsize)
		printf("NVRAM write succeed\n");
	else
		printf("NVRAM write failed\n");
}


Signed-off-by: Michael Buesch <mb@bu3sch.de>

---

This bug probably is exploitable by overwriting the function return address or something
like that. But let's hope there's no distribution out there with user write permissions
on the /dev/nvram node. So it's probably only exploitable by root.
Comments on the exploitability are welcome. :)


Index: linux-2.6.30/drivers/char/nvram.c
===================================================================
--- linux-2.6.30.orig/drivers/char/nvram.c	2009-07-18 01:29:50.000000000 +0200
+++ linux-2.6.30/drivers/char/nvram.c	2009-07-18 02:47:35.000000000 +0200
@@ -267,6 +267,8 @@
 	unsigned char *tmp;
 	int len;
 
+	if (i >= NVRAM_BYTES)
+		return -EINVAL;
 	len = (NVRAM_BYTES - i) < count ? (NVRAM_BYTES - i) : count;
 	if (copy_from_user(contents, buf, len))
 		return -EFAULT;

-- 
Greetings, Michael.

Re: [PATCH] nvram: Fix root triggerable integer overflow crash

[Henrique de Moraes Holschuh]

On Sat, 18 Jul 2009, Michael Buesch wrote:
> This bug probably is exploitable by overwriting the function return address or something
> like that. But let's hope there's no distribution out there with user write permissions
> on the /dev/nvram node. So it's probably only exploitable by root.

I have seen setups with group-writeable /dev/nvram to support some (old!)
thinkpad utilities.

Even if it cannot be exploited for more than a DoS, IMO that's still bad
enough to warrant fixing this also on stable kernels if they are vulnerable.
So, does the fix also apply to 2.6.27+ ?  If it does, please send it to
stable@kernel.org as well.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Re: [PATCH] nvram: Fix root triggerable integer overflow crash

[Michael Buesch]

On Saturday 18 July 2009 17:09:09 Henrique de Moraes Holschuh wrote:
> On Sat, 18 Jul 2009, Michael Buesch wrote:
> > This bug probably is exploitable by overwriting the function return address or something
> > like that. But let's hope there's no distribution out there with user write permissions
> > on the /dev/nvram node. So it's probably only exploitable by root.
> 
> I have seen setups with group-writeable /dev/nvram to support some (old!)
> thinkpad utilities.

Yes it is  crw-rw---- 1 root root  on Debian.
Are there any setuid programs accessing nvram (like the recent tun/pulseaudio exploit?)

> Even if it cannot be exploited for more than a DoS,

You can randomly overwrite the kernel stack with the data you write to the device.
So I do think it is exploitable, because the char device writer controls the kernel stack completely.
However, I do not have an example exploit.

> IMO that's still bad 
> enough to warrant fixing this also on stable kernels if they are vulnerable.
> So, does the fix also apply to 2.6.27+ ?  If it does, please send it to
> stable@kernel.org as well.

Yeah I forgot to add stable to CC.

-- 
Greetings, Michael.

Re: [PATCH] nvram: Fix root triggerable integer overflow crash

[Henrique de Moraes Holschuh]

On Sat, 18 Jul 2009, Michael Buesch wrote:
> On Saturday 18 July 2009 17:09:09 Henrique de Moraes Holschuh wrote:
> > On Sat, 18 Jul 2009, Michael Buesch wrote:
> > > This bug probably is exploitable by overwriting the function return address or something
> > > like that. But let's hope there's no distribution out there with user write permissions
> > > on the /dev/nvram node. So it's probably only exploitable by root.
> > 
> > I have seen setups with group-writeable /dev/nvram to support some (old!)
> > thinkpad utilities.
> 
> Yes it is  crw-rw---- 1 root root  on Debian.

That is not a problem. "crw-rw---- 1 root nvram", would be.  That becomes a
local privilege escalation right there, if it can be exploited for something
other than DoS (which looks somewhat likely).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh