[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Linux lp.c Out-of-Bounds Write via Kernel Command-line (CVE-2017-1000363)
From: Roee Hay <roeehay () gmail ! com>
Date: 2017-05-23 18:46:45
Message-ID: CAA4i3gZUAwBc_ieNHF5qJOiQWBmmqxuqwQLthWj1aa8BkDRWkw () mail ! gmail ! com
[Download RAW message or body]
Details
=======
Due to a missing bounds check in the lp driver, and the fact that
parport_ptr integer is static, a kernel command-line adversary (can happen
due to bootloader vulnerabilities in Secure Boot environments, e.g. Nexus
6's CVE-2016-10277) can overflow the parport_nr array in the following
code, by appending many (>LP_NO) lp=none arguments to the command line.
CONFIG_PRINTER=y is required.
static int parport_nr[LP_NO] = { [0 ... LP_NO-1] = LP_PARPORT_UNSPEC };
static char *parport[LP_NO];
[...]
#ifndef MODULE
static int __init lp_setup (char *str)
{
static int parport_ptr;
[...]
} else if (!strncmp(str, "parport", 7)) {
int n = simple_strtoul(str+7, NULL, 10);
if (parport_ptr < LP_NO)
parport_nr[parport_ptr++] = n;
else
printk(KERN_INFO "lp: too many ports, %s ignored.\n",
str);
} else if (!strcmp(str, "auto")) {
parport_nr[0] = LP_PARPORT_AUTO;
} else if (!strcmp(str, "none")) {
parport_nr[parport_ptr++] = LP_PARPORT_NONE;
[...]
#endif
[...]
__setup("lp=", lp_setup);
Vulnerable:
=======
Linux 4.x (4.12-rc1 and below)
Linux 3.x
Linux 2.6.x
Linux 2.4.x
Linux 2.2.x
Patch:
======
https://github.com/torvalds/linux/commit/3e21f4af170bebf47c187c1ff8bf155583c9f3b1
Timeline:
=========
23-May-17: Public disclosure.
22-May-17: Patch available (Linux mainline 4.12-rc2).
17-May-17: CVE-2017-1000363 assigned by Kurt Seifried, Red Hat Product
Security.
16-May-17: Patch available (Linux Char/Misc drivers development tree).
16-May-17: Reported.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic