Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
BCM5820 Linux Driver Buffer Overflow May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1010575
|
|
SecurityTracker URL: http://securitytracker.com/id?1010575
|
|
CVE Reference: CAN-2004-0619
(Links to External Site)
|
|
OSVDB Reference: 7249
(Links to External Site)
|
Updated: Dec 2 2004
|
Original Entry Date: Jun 24 2004
|
Impact: Denial of service via local system, Execution of arbitrary code via local system, Root access via local system
|
Description: An integer overflow vulnerability was reported in the Broadcom 5820 CryptoNET driver for Linux. A local user may be able to execute arbitrary code on the target system.
Sean reported that the software copies user-supplied data into a buffer that is sized based on a user-supplied value. A local user
can supply the driver with specially crafted data to trigger an integer overflow and cause the system to crash or potentially execute
arbitrary code.
The flaw reportedly resides in the ubsec_keysetup() function in '/drivers/crypto/bcm/pkey.c'.
|
Impact: A local user can cause denial of service conditions on the target system.
A local user may be able to execute arbitrary code with elevated privileges.
|
Solution: No solution was available at the time of this entry.
|
Cause: Boundary error
|
Underlying OS: Linux (Any)
|
Reported By: infamous41md@hotpop.com
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 23 Jun 2004 15:20:59 -0400
From: infamous41md@hotpop.com
Subject: Linux Broadcom 5820 Cryptonet Driver Integer Overflow
|
Linux Broadcom 5820 Cryptonet Driver Integer Overflow
-----------------------------------------------------
Overview:
There exists an integer overflow in the cryptonet driver. A user supplied
value is used to size a dynamic buffer, and this buffer is subsequently filled
with user supplied data.
Impact:
Local DOS, and possible code execution depending on the location of the
buffer in slab. The Cryptonet driver is not distributed by default in all
distributions. I found it in the RedHat 8 2.4.20 sources, but not in
Slackware 9. If it is installed, you can find it in
/usr/src/linux/drivers/crypto/bcm/
Details:
The ubsec_ioctl() function is used to setup various operating parameters
for the device driver. One of the commands is used to setup the key being
used for encryption. This occurs in the following code:
/drivers/crypto/bcm/dispatch.c, 196:
case UBSEC_KEY_SETUP_FUNC:
status = ubsec_keysetup(DeviceInfoList[SelectedDevice].Context, (void *)arg);
break;
which calls this function found in /drivers/crypto/bcm/pkey.c, 91:
int ubsec_keysetup(ubsec_DeviceContext_t pContext, ubsec_key_io_t *pKeyIOInfo)
...snip....
1]
copy_from_user( &KeyIOInfoForDSA,pKeyIOInfo, sizeof(KeyIOInfoForDSA));
if((KeyIOInfoForDSA.command == UBSEC_DSA_SIGN) || (KeyIOInfoForDSA.command == UBSEC_DSA_VERIFY)) {
message_alignment = DSA_MESSAGE_ALIGNMENT;
2]
add_dsa_buf_bytes = KeyIOInfoForDSA.key.DSAParams.InputFragments->FragmentLength + DSA_MESSAGE
_ALIGNMENT;
}
.......
3]
pkey_buf = (unsigned char *) kmalloc((4096+add_dsa_buf_bytes),GFP_KERNEL|GFP_ATOMIC);
pCommandContext = (CommandContext_pt)pkey_buf;
kcmd = (ubsec_KeyCommandInfo_pt) &pCommandContext[1];
KeyIOInfo = (ubsec_key_io_pt)&kcmd[1];
KeyLoc = ((unsigned char *)&KeyIOInfo[1]) + message_alignment;
4]
copy_from_user( KeyIOInfo, pKeyIOInfo, sizeof(*KeyIOInfo));
...snip...
The last argument passed to ubsec_keysetup() is the device specific user
supplied argument to ioctl(). It is copied into the KeyIOInfoForDSA
variable at 1], and then used to size the buffer at 2]. Now one of the
things that doesn't make sense to me, is that at 2] when accessing the
just copied in user structure, they are accessing a pointer embedded in
the structure. This pointer would point somewhere into userland, and from
what I have learned so far about kernel programming, that would NOT be a
valid pointer to just dereference? I don't have this hardware, so I
couldn't test this myself, but I was under the impression that code would
fault, or perhaps access some random area of memory? However, proceeding
on regardless, that signed integer value is then added to 4096 at 3] when
used to allocate the buffer. Part of this buffer is then used at 4] when
the same user structure from 1] is copied into an address further into the
allocated buffer. If a properly calculated negative value is used for the
add_dsa_buf_bytes variable, an integer overflow will occur when allocating
the buffer at 3]. The smallest sized buffer that can be allocated via
kmalloc() is 32 on some platforms, and 64 on others. Regardless of this,
it is still possible to overflow the buffer at 4] because of the size of
the structure being copied combined with the fact that we start copying
from buffer base + 24(or greater on certain platforms) bytes into the
allocated buffer. Depending on the location of the allocated buffer in
the cache slab, it may be possible to overwrite slab control structures
and execute arbitrary code. However, it is likely that we will be
overwriting a piece of memory that belongs to someone else, and this may
lead to system instability when that memory is accessed by whomever it
belongs to.
Vendor Status:
The vendor was not contacted.
Thanks:
This bug and several others were found with the advanced, open source
auditing tool grep.
--
-sean
|
|
Go to the Top of This SecurityTracker Archive Page
|
