[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux kernel: isdn: cpai: array-index-out-of-bounds in detach_capi_ctr in drivers/isd
From:       butt3rflyh4ck <butterflyhuangxx () gmail ! com>
Date:       2021-10-19 15:21:52
Message-ID: CAFcO6XNFySfp80uRssnz5jhgndpCvmgNbSE88ttMhXdZzqcfhw () mail ! gmail ! com
[Download RAW message or body]

Hi, there is an array-index-out-bounds bug in detach_capi_ctr in
drivers/isdn/capi/kcapi.c and I reproduce it on 5.15.0-rc2+.

#Root Cause
we can call CMTPCONNADD ioctl and it would invoke
do_cmtp_sock_ioctl(), it would call cmtp_add_connection().
The chain of call is as follows.
ioctl(CMTPCONNADD)
   ->cmtp_sock_ioctl()
         -->do_cmtp_sock_ioctl()
            --->cmtp_add_connection()
                ---->kthread_run()
                ---->cmtp_attach_device()
the function would add a cmtp session to a controller.

The cmtp_add_connection() would add a cmtp session to a controller
and run a kernel thread to process cmtp.

        __module_get(THIS_MODULE);
        session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d",
                                                                session->num);

During this process, the kernel thread would call detach_capi_ctr()
to detach a register controller. if the controller
was not attached yet, detach_capi_ctr() would
trigger an array-index-out-bounds bug.


#analyze
https://lore.kernel.org/netdev/CAFcO6XOvGQrRTaTkaJ0p3zR7y7nrAWD79r48=L_BbOyrK9X-vA@mail.gmail.com/


#patch
The patch is available upstream now.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1f3e2e97c003f80c4b087092b225c8787ff91e4d


#Timeline
*2021/9/24 - Vulnerability reported to netdev@vger.kernel.org.
*2021/9/24 - Vulnerability confirmed.
*2021/10/8 - Vulnerability patched.
*2021/10/9 - Vulnerability reported to secalert@redhat.com and confirmed
*2021/10/19 - Opened on oss-security@lists.openwall.com.

#Credit
Active Defense Lab of Venustech.


Regards,
 butt3rflyh4ck.

--
Active Defense Lab of Venustech


[prev in list] [next in list] [prev in thread] [next in thread]