Lexa Software: Security-Alerts@yandex-team.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: Security-alerts

Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Linux kernel vmsplice unchecked user-pointer dereference

To: "security-alerts@xxxxxxxxxxxxxx" <security-alerts@xxxxxxxxxxxxxx>
Subject: [security-alerts] FW: Linux kernel vmsplice unchecked user-pointer dereference
From: "Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>
Date: Tue, 12 Feb 2008 13:09:21 +0300
Accept-language: ru-RU, en-US
Acceptlanguage: ru-RU, en-US
Content-language: ru-RU
List-archive: <http://www.lexa.ru/security-alerts/> (Web Archive)
List-id: <security-alerts.yandex-team.ru>
List-subscribe: <mailto:majordomo@yandex-team.ru?body=subscribe%20security-alerts>
List-unsubscribe: <mailto:majordomo@yandex-team.ru?body=unsubscribe%20security-alerts>
Thread-index: AchtTR+aCvFYbtloQdS/fixHTp31LgAEi1aA
Thread-topic: Linux kernel vmsplice unchecked user-pointer dereference

> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of Wojciech Purczynski
> Sent: Tuesday, February 12, 2008 10:51 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx;
> bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx
> Subject: [Full-disclosure] CSA-L03: Linux kernel vmsplice
> unchecked user-pointer dereference
>
> ===[ ABSTRACT
> ]=========================================================
>
> A new vmsplice() system call was introduced in the 2.6.17
> release of the
> Linux kernel. In the 2.6.23 kernel the system call functionality has
> been further extended resulting in two new critical vulnerabilities.
>
>
> ===[ AFFECTED SOFTWARE
> ]================================================
>
> Linux 2.6.23 - 2.6.24
>
> For the exact kernel version please refer to an information
> provided by
> your vendor.
>
>
> ===[ DESCRIPTION
> ]======================================================
>
> VULNERABILITY #1
>
> Inappropriate dereference of user-supplied memory pointers in the
> code beginning at line 1378 in the vmsplice_to_user() kernel
> function (fs/splice.c):
>
> ---8<--- fs/splice.c:1378 ---8<---
>         error = get_user(base, &iov->iov_base);
>         /* ... */
>         if (unlikely(!base)) {
>                 error = -EFAULT;
>                 break;
>         }
>         /* ... */
>         sd.u.userptr = base;
>         /* ... */
>         size = __splice_from_pipe(pipe, &sd, pipe_to_user);
> ---8<--- fs/splice.c:1401 ---8<---
>
> The code lacks validation of these pointers (i.e. with access_ok()).
> The __splice_from_pipe() assumes these are valid user-memory pointers
> and never makes any verification of them. The function
> dereferences the
> pointers with __copy_to_user_inatomic() function (in
> pipe_to_user()) in
> order to write data to user-process memory in this case leading to
> possibility of arbitrary data (read from pipe) to arbitrary kernel
> memory.
>
>
> VULNERABILITY #2
>
> The copy_from_user_mmap_sem() function copies data from user-process
> memory with the use of __copy_from_user_inatomic() without validating
> user-supplied pointer with access_ok():
>
> ---8<--- fs/splice.c:1188 ---8<---
>          partial = __copy_from_user_inatomic(dst, src, n);
> ---8<--- fs/splice.c:1188 ---8<---
>
> This vulnerability leads to indirect reading of arbitrary
> kernel memory.
>
>
> ===[ IMPACT
> ]===========================================================
>
> Vulnerabilities may lead to local system compromise including
> execution
> of arbitrary machine code in the context of running kernel.
>
> Vulnerability #1 has been successfully exploited on Linux 2.6.24.
> Vulnerability #2 not tested.
>
>
> ===[ DISCLOSURE TIMELINE
> ]==============================================
>
> 1st Feb 2008    Vendor notification
> 8th Feb 2008    Public disclosure
>
>
> ===[ AUTHOR
> ]===========================================================
>
> Wojciech Purczynski <cliph@xxxxxxxxxxxxxxxxxxxx>
>
> Wojciech Purczynski is a Security Researcher at Vulnerability Research
> Labs, COSEINC PTE Ltd.
> http://coseinc.com
>
> Wojciech Purczynski is also a member of iSEC Security Research
> http://isec.pl/
>
>
> ===[ LEGAL DISCLAIMER
> ]=================================================
>
> Copyright (c) 2008 Wojciech Purczynski
> Copyright (c) 2008 COSEINC PTE Ltd.
>
> All Rights Reserved.
>
> PUBLISHING, DISTRIBUTING, PRINTING, COPYING, SCANNING, DUPLICATING IN
> ANY FORM, MODIFYING WITHOUT PRIOR WRITTEN PERMISSION IS STRICTLY
> PROHIBITED.
>
> THE DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. THE
> CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE
> LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES,
> LOSSES OR UNLAWFUL OFFENCES.
>
> USE AT YOUR OWN RISK.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Prev by Date: [security-alerts] FW: [SA28851] Adobe Reader/Acrobat 7 Multiple Vulnerabilities
Next by Date: [security-alerts] FW: [SA28835] Linux Kernel "vmsplice()" System Call Vulnerabilities
Previous by thread: [security-alerts] FW: [SA28851] Adobe Reader/Acrobat 7 Multiple Vulnerabilities
Next by thread: [security-alerts] FW: [SA28835] Linux Kernel "vmsplice()" System Call Vulnerabilities
Index(es):
- Date
- Thread