ax25_setsockopt function - Integer signedness error - Denial of Service Vulnerability

2009.10.22
Credit: Fedora Team
Risk: Low
Local: Yes
Remote: No
CWE: CWE-189


Ogólna skala CVSS: 4.9/10
Znaczenie: 6.9/10
Łatwość wykorzystania: 3.9/10
Wymagany dostęp: Lokalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Brak
Wpływ na dostępność: Pełny

The 2.6.31.2 changelog contains these two snippets: net ax25: Fix signed comparison in the sockopt handler net: Make the copy length in af_packet sockopt handler unsigned The ax25 flaw looks real, the af_packet one is probably just a bug. I'm assigning CVE-2009-2909 to the ax25 flaw. Here is my analysis, if someone sees an issue with it, please feel free to speak up. ax25 (CVE-2009-2909) http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=b7058842c940ad2c08dd829b21e5c92ebe3b8758 http://article.gmane.org/gmane.linux.kernel/896907 In the file af_ax25.c there is this bit: case SO_BINDTODEVICE: if (optlen > IFNAMSIZ) optlen=IFNAMSIZ; if (copy_from_user(devname, optval, optlen)) return -EFAULT; If a user can make the value of optlen wrap to a negative number, the check should pass, but the call to copy_from_user has this check in it: BUG_ON((long) n < 0); Where n is optlen. I'm told this will OOPS the kernel. That means that this flaw should only be a DoS. af_packet (No CVE id, just a bug) http://article.gmane.org/gmane.linux.kernel/896917 I don't think the missed check in af_packet.c is an issue. The check if (len < 0) return -EINVAL; Will never fail, but just beneath that bit in the code, you have if (len > sizeof(struct tpacket_stats)) len = sizeof(struct tpacket_stats); and if (len > sizeof(int)) len = sizeof(int); As our error condition would need len to be a negative number, but the sizeof check will cast it as unsigned, these checks would effectively fail, resetting len to something sane. Even then, all that happens with len, is a copy_to_user, which wouldn't hurt the kernel, but could crash the app (which we likely don't care about in this instance). Thanks.

Referencje:

http://article.gmane.org/gmane.linux.kernel/896907
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00483.html
https://bugzilla.redhat.com/show_bug.cgi?id=528887
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31.2
http://secunia.com/advisories/37075
http://marc.info/?l=oss-security&m=125494119617994&w=2
2000
http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=b7058842c940ad2c08dd829b21e5c92ebe3b8758


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top