In certain kernel versions it is possible to use the AIO subsystem (io_submit
syscall) to pass size values larger than MAX_RW_COUNT to the networking
subsystem's sendmsg implementation. In the L2TP PPP sendmsg implementation, a
large size parameter can lead to an integer overflow and kernel heap corruption
during socket buffer allocation. This could be exploited to allow local
privilege escalation from an unprivileged user account.
This issue affects 64-bit systems running older branches of the Linux kernel,
such as version 3.10 and 3.18. More recent major versions aren't affected due
to refactoring in the AIO subsystem. The attached proof-of-concept trigger has
been tested on a fully updated Ubuntu 14.04 LTS server. This issue is also
likely to affect 64-bit Android devices, which typically use branches of 3.10.
The first observation is that an IOCB_CMD_PWRITE of a large length (such as
0xffffffff) will correctly bound the request iocb's ki_nbytes value to
MAX_RW_COUNT. However, in the single vector case, if the relevant access_ok
check passes in aio_setup_single_vector then the iov length will still be large
(0xffffffff). On 64-bit systems it is possible for access_ok(type, user_ptr,
0xffffffff) to succeed.
The second observation is that sock_aio_write does not use the iocb for the
sendmsg size calculation, but instead takes the summation of all input iov
lengths. Thus calling io_submit with an IOCB_CMD_PWRITE operation on a socket
will result in a potentially large value being passed to sendmsg.
The third observation is that AF_PPPOX sockets using the PX_PROTO_OL2TP
protocol has a sendmsg implementation that does not bounds check the incoming
length parameter (called total_len) before using the value to calculate the
length of a socket buffer allocation (using sock_wmalloc).
The fourth observation is that the underlying socket buffer allocation routine
__alloc_skb uses an "unsigned int" for it's size parameter rather than a
size_t, and that this value can wrap to a small positive value upon alignment
calculations and internal space overhead calculations. This results in a small
value being passed to kmalloc for the socket buffer data allocation. Then, the
size is recalculated using SKB_WITH_OVERHEAD, which effectively re-underflows
the size calculation to a small negative value (large unsigned value). The
newly created socket buffer has a small backing data buffer and a large size.
The proof-of-concept trigger crashes when writing the skb_shared_info structure
into the end of the socket buffer, which is out-of-bounds. Other corruption may
also be possible in pppol2tp_sendmsg/l2tp_xmit_skb/ip_output.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Original issue reported on code.google.com by haw...@google.com on 20 Feb 2016 at 12:55
Original issue reported on code.google.com by
haw...@google.com
on 20 Feb 2016 at 12:55Attachments: