linux kernel 2.6.36.1 TIPC security issues

2010-12-29 / 2010-12-30
Credit: Dan Rosenberg
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-189


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

The tipc_msg_build() function in net/tipc/msg.c is written in such a way as to create a highly exploitable kernel heap overflow that would allow a local user to escalate privileges to root by issuing maliciously crafted sendmsg() calls. At a minimum, the following issues should be fixed: 1. The tipc_msg_calc_data_size() function is almost totally broken. It sums together size_t values (iov_lens), but returns an integer. Two things can go wrong - the total value can wrap around, or on 64-bit platforms, iov_len values greater than UINT_MAX will be truncated. 2. The comparison of dsz to TIPC_MAX_USER_MSG_SIZE is signed, so negative (large unsigned) values will pass this check. 3. The comparison of sz to max_size is also signed. As a result of these issues, it's possible to cause the allocation of a small heap buffer and the subsequent copying of a carefully controlled larger amount of data into that buffer. I haven't found a Linux distribution that defines a module alias for TIPC (even though most compile it as a module), so an administrator will have had to explicitly load the TIPC module for a system to be vulnerable. -Dan

References:

https://bugzilla.redhat.com/show_bug.cgi?id=645867
http://www.spinics.net/lists/netdev/msg145352.html
http://www.spinics.net/lists/netdev/msg145265.html
http://www.spinics.net/lists/netdev/msg145264.html
http://www.spinics.net/lists/netdev/msg145263.html
http://www.spinics.net/lists/netdev/msg145262.html
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8acfe468b0384e834a303f08ebc4953d72fb690a
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=253eacc070b114c2ec1f81b067d2fed7305467b0
http://www.spinics.net/lists/netdev/msg145248.html
http://www.spinics.net/lists/netdev/msg145247.html
http://www.openwall.com/lists/oss-security/2010/10/22/5
http://www.openwall.com/lists/oss-security/2010/10/22/2
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.36.2
http://marc.info/?l=linux-netdev&m=128770476511716&w=2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top