'Re: [oss-security] Linux Kernel: out of bounds array access in dm-ioctl.c'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux Kernel: out of bounds array access in dm-ioctl.c
From:       John Haxby <john.haxby () oracle ! com>
Date:       2021-03-29 12:57:46
Message-ID: 6C2649B1-621E-40B3-A9CD-7252FC4FBA66 () oracle ! com
[Download RAW message or body]

> On 28 Mar 2021, at 04:47, - Nop <nopitydays@gmail.com> wrote:
> 
> Hi,
> 
> We found an out of bounds array accessing bug in drivers/md/dm-ioctl.c, and
> reproduced it in the latest kernel (v5.11.10).
> 
> The root cause of this BUG is :
> 
> The field "data_size" in function ctl_ioctl is fully controlled by users
> and this argument controls the size of kvmalloc in function copy_params.
> 
> When the data_size is in a range of [0x131,0x138], the allocated memory
> which is pointed by the variable "param" used in ioctl
> "DM_LIST_DEVICES_CMD" is too small, causing an oob bug at line "nl->dev =
> 0; /* Flags no data */" (
> https://github.com/torvalds/linux/blob/0d02ec6b3136c73c09e7859f0d0e4e2c4c07b49b/drivers/md/dm-ioctl.c#L538
>  )
> 

DM_LIST_DEVICES_CMD, and in fact, any function called from ctl_ioctl is limited to users with \
CAP_SYS_ADMIN.  Without that root-equivalent privilege I don't see any way to exploit this bug. \
Did you find a way to exploit it as an unprivileged user?

jch

> Attachments are the poc, kernel config and Kernel report.
> 
> The patch:
> https://github.com/torvalds/linux/commit/4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a
> * Grab our output buffer.
> */
> nl = orig_nl = get_result_buffer(param, param_size, &len);
> -    if (len < needed) {
> +    if (len < needed || len < sizeof(nl->dev)) {
> param->flags |= DM_BUFFER_FULL_FLAG;
> goto out;
> }
> 
> Regards,
> Bodong Zhao of NISL lab, Tsinghua University


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iHUEAREIAB0WIQT+pxvb11CFWUkNSOVFC7t+lC+jyAUCYGHOyQAKCRBFC7t+lC+j
yHiEAQCY/T1fRdcspmslC1dVLZx7tCQ0v4auHXw8VkyCI8kvqwEAs4zUH5y3BKBp
J5MuRuFTJPwHH+swcwEtFjkp7M7SMFo=
=YjGr
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic