Linux Kernel net/ping refcount issue in ping_init_sock() function

2014-04-11 / 2014-04-12
Credit: Xiaoming
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-2851
CWE: N/A


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

A flaw was found in the way ping_init_sock() function handled group_info struct reference counter. Since group_info refcounter is only incremented but never decremented in this codepath, it could lead to refcounter overflow and possibly to use-after-free issue later. An unprivileged local user could use this flaw to crash the system or, potentially, escalate their privileges on the system. Upstream patch proposal: https://lkml.org/lkml/2014/4/10/736 References: https://bugzilla.redhat.com/show_bug.cgi?id=1086730 There is a memory leak in ping. Current group_info had been got in ping_init_sock and group_info->usage increased. But the usage hasn't decreased anywhere in ping. This will make this group_info never freed and cause memory leak. unreferenced object 0xcd0e8840 (size 192): comm "dumpstate", pid 7583, jiffies 78360 (age 91.810s) hex dump (first 32 bytes): 02 00 00 00 06 00 00 00 01 00 00 00 ef 03 00 00 ................ f1 03 00 00 f7 03 00 00 04 04 00 00 bb 0b 00 00 ................ backtrace: [<c1a6bbfc>] kmemleak_alloc+0x3c/0xa0 [<c1320457>] __kmalloc+0xe7/0x1d0 [<c1267c04>] groups_alloc+0x34/0xb0 [<c1267e5c>] SyS_setgroups+0x3c/0xf0 [<c1a864a8>] syscall_call+0x7/0xb [<ffffffff>] 0xffffffff Signed-off-by: Chuansheng Liu <chuansheng.liu@intel.com> Signed-off-by: Zhang Dongxing <dongxing.zhang@intel.com> Signed-off-by: xiaoming wang <xiaoming.wang@intel.com> --- net/ipv4/ping.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c index f4b19e5..2af7b1f 100644 --- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -255,23 +255,28 @@ int ping_init_sock(struct sock *sk) struct group_info *group_info = get_current_groups(); int i, j, count = group_info->ngroups; kgid_t low, high; + int ret = 0; inet_get_ping_group_range_net(net, &low, &high); if (gid_lte(low, group) && gid_lte(group, high)) - return 0; + goto out_release_group; for (i = 0; i < group_info->nblocks; i++) { int cp_count = min_t(int, NGROUPS_PER_BLOCK, count); for (j = 0; j < cp_count; j++) { kgid_t gid = group_info->blocks[i][j]; if (gid_lte(low, gid) && gid_lte(gid, high)) - return 0; + goto out_release_group; } count -= cp_count; } - return -EACCES; + ret = -EACCES; + +out_release_group: + put_group_info(group_info); + return ret; } EXPORT_SYMBOL_GPL(ping_init_sock); -- 1.7.1

References:

https://lkml.org/lkml/2014/4/10/736
https://bugzilla.redhat.com/show_bug.cgi?id=1086730


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top