search

ArashAll / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Linux io_submit L2TP sendmsg integer overflow #735

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
In certain kernel versions it is possible to use the AIO subsystem (io_submit 
syscall) to pass size values larger than MAX_RW_COUNT to the networking 
subsystem's sendmsg implementation. In the L2TP PPP sendmsg implementation, a 
large size parameter can lead to an integer overflow and kernel heap corruption 
during socket buffer allocation. This could be exploited to allow local 
privilege escalation from an unprivileged user account.

This issue affects 64-bit systems running older branches of the Linux kernel, 
such as version 3.10 and 3.18. More recent major versions aren't affected due 
to refactoring in the AIO subsystem. The attached proof-of-concept trigger has 
been tested on a fully updated Ubuntu 14.04 LTS server. This issue is also 
likely to affect 64-bit Android devices, which typically use branches of 3.10.

The first observation is that an IOCB_CMD_PWRITE of a large length (such as 
0xffffffff) will correctly bound the request iocb's ki_nbytes value to 
MAX_RW_COUNT. However, in the single vector case, if the relevant access_ok 
check passes in aio_setup_single_vector then the iov length will still be large 
(0xffffffff). On 64-bit systems it is possible for access_ok(type, user_ptr, 
0xffffffff) to succeed.

The second observation is that sock_aio_write does not use the iocb for the 
sendmsg size calculation, but instead takes the summation of all input iov 
lengths. Thus calling io_submit with an IOCB_CMD_PWRITE operation on a socket 
will result in a potentially large value being passed to sendmsg.

The third observation is that AF_PPPOX sockets using the PX_PROTO_OL2TP 
protocol has a sendmsg implementation that does not bounds check the incoming 
length parameter (called total_len) before using the value to calculate the 
length of a socket buffer allocation (using sock_wmalloc).

The fourth observation is that the underlying socket buffer allocation routine 
__alloc_skb uses an "unsigned int" for it's size parameter rather than a 
size_t, and that this value can wrap to a small positive value upon alignment 
calculations and internal space overhead calculations. This results in a small 
value being passed to kmalloc for the socket buffer data allocation. Then, the 
size is recalculated using SKB_WITH_OVERHEAD, which effectively re-underflows 
the size calculation to a small negative value (large unsigned value). The 
newly created socket buffer has a small backing data buffer and a large size. 

The proof-of-concept trigger crashes when writing the skb_shared_info structure 
into the end of the socket buffer, which is out-of-bounds. Other corruption may 
also be possible in pppol2tp_sendmsg/l2tp_xmit_skb/ip_output.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 20 Feb 2016 at 12:55

Attachments:

GoogleCodeExporter commented 8 years ago 
A patch for this issue has been released here: 
https://lkml.org/lkml/2016/2/23/1018

Original comment by haw...@google.com on 24 Feb 2016 at 7:36