[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux lp.c Out-of-Bounds Write via Kernel Command-line (CVE-2017-1000363)
From:       Roee Hay <roeehay () gmail ! com>
Date:       2017-05-23 18:46:45
Message-ID: CAA4i3gZUAwBc_ieNHF5qJOiQWBmmqxuqwQLthWj1aa8BkDRWkw () mail ! gmail ! com
[Download RAW message or body]


Details
=======
Due to a missing bounds check in the lp driver, and the fact that
parport_ptr integer is static, a kernel command-line adversary (can happen
due to bootloader vulnerabilities in Secure Boot environments, e.g. Nexus
6's CVE-2016-10277) can overflow the parport_nr array in the following
code, by appending many (>LP_NO) lp=none arguments to the command line.
CONFIG_PRINTER=y is required.

static int parport_nr[LP_NO] = { [0 ... LP_NO-1] = LP_PARPORT_UNSPEC };
static char *parport[LP_NO];
[...]
#ifndef MODULE
static int __init lp_setup (char *str)
{
static int parport_ptr;
[...]
} else if (!strncmp(str, "parport", 7)) {
    int n = simple_strtoul(str+7, NULL, 10);
    if (parport_ptr < LP_NO)
        parport_nr[parport_ptr++] = n;
    else
        printk(KERN_INFO "lp: too many ports, %s ignored.\n",
               str);
} else if (!strcmp(str, "auto")) {
    parport_nr[0] = LP_PARPORT_AUTO;
} else if (!strcmp(str, "none")) {
    parport_nr[parport_ptr++] = LP_PARPORT_NONE;
[...]
#endif
[...]
__setup("lp=", lp_setup);


Vulnerable:
=======
Linux 4.x (4.12-rc1 and below)
Linux 3.x
Linux 2.6.x
Linux 2.4.x
Linux 2.2.x

Patch:
======
https://github.com/torvalds/linux/commit/3e21f4af170bebf47c187c1ff8bf155583c9f3b1


Timeline:
=========
23-May-17: Public disclosure.
22-May-17: Patch available (Linux mainline 4.12-rc2).
17-May-17: CVE-2017-1000363 assigned by Kurt Seifried, Red Hat Product
Security.
16-May-17: Patch available (Linux Char/Misc drivers development tree).
16-May-17: Reported.


[prev in list] [next in list] [prev in thread] [next in thread]