gpsd 3.9 denial of service

2013-05-02 / 2013-05-06
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-20


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

GPSD upstream has released 3.9 version: [1] http://lists.nongnu.org/archive/html/gpsd-dev/2013-05/msg00000.html correcting one denial of service problem [2]: A denial of service flaw was found in the way AIS driver packet parser of gpsd, a service daemon for mediating access to a GPS, processed certain malformed packets. A remote attacker could provide a specially-crafted device input that, when processed would lead to gpsd's packet parser crash (gpsd daemon termination). References: [2] https://bugzilla.redhat.com/show_bug.cgi?id=958717 Candidate upstream patches [*]: [3] http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f [4] http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50 -- [*] Candidate because upstream #38511 is private currently: http://savannah.nongnu.org/bugs/?38511 => hard to say if [3] is fixing this issue, or the DoS would be caused by the malformed packet crash / sample, as listed in [4]. @Eric - Eric, could you please help us to solve this doubt? (which of the patches is the correct one to fix the above mentioned DoS / security issue) Thanks: Goes to Miroslav Lichvar for bringing this one to my attention. diff --git a/drivers.c b/drivers.c index 8d6ebd0..e663290 100644 --- a/drivers.c +++ b/drivers.c @@ -1328,6 +1328,10 @@ static bool aivdm_decode(const char *buf, size_t buflen, (1 << (7 - ais_context->bitlen % 8)); } ais_context->bitlen++; + if (ais_context->bitlen > sizeof(ais_context->bits)) { + gpsd_report(LOG_INF, "overlong AIVDM payload truncated.\n"); + return false; + } } /*@ +shiftnegative @*/ } diff --git a/NEWS b/NEWS index 88dfb58..867b80d 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,6 @@ * Repository head - Armor the AIS driver against an implausible overrun attack. Minor + Armor the AIS driver against an implausible overrun attack. A fix + for our first malformed-packet crash since about 2007. Minor improvements to the NMEA2000 driver. New FAQ entry on how to know WAAS/EGNOS is working. diff --git a/packet.c b/packet.c index 566b9fd..9bb7723 100644 --- a/packet.c +++ b/packet.c @@ -485,9 +485,8 @@ static void nextstate(struct gps_packet_t *lexer, unsigned char c) /* not strictly correct, but helps for interpreting logfiles */ lexer->state = NMEA_RECOGNIZED; else if (c == '$'){ - /* faster recovery from missing sentence trailers */ - lexer->state = NMEA_DOLLAR; - lexer->inbufptr += (n-1); + lexer->state = GROUND_STATE; + character_pushback(lexer); } else if (!isprint(c)) lexer->state = GROUND_STATE; break; diff --git a/test/daemon/triton400.log b/test/daemon/triton400.log index 22352ce..9c2f107 100644 --- a/test/daemon/triton400.log +++ b/test/daemon/triton400.log @@ -1,9 +1,10 @@ # Name: Magellan Triton 400 -# Chipset = SirfStar III -# Firmware = GSW3.2.4 -# Date = 2013-03-31 -# Submitter = James Gerlach <jpgerlach@gmail.com> -# Location = Wellington, FL, USA, 26d39mN 80d15mW +# Chipset: SirfStar III +# Firmware: GSW3.2.4 +# Date: 2013-03-31 +# Submitter: = James Gerlach <jpgerlach@gmail.com> +# Location: Wellington, FL, USA, 26d39mN 80d15mW +# Note: There's a malformed unterminated GGA packet on line 12 $GPGSV,3,1,11,08,75,303,44,07,66,172,51,11,51,055,36,28,39,325,36*76 $GPGSV,3,2,11,17,31,254,51,26,13,295,51,09,12,322,36,19,12,046,51*76 $GPGSV,3,3,11,20,09,138,36,13,04,183,51,32,03,113,44,,,,*44 diff --git a/www/faq.html.in b/www/faq.html.in index 231e201..86b5714 100644 --- a/www/faq.html.in +++ b/www/faq.html.in @@ -300,7 +300,7 @@ still reproducible.</p> <h3>10. If your bug core-dumps gpsd, send us a stack trace.</h3> -<p>Though it happens seldom (we've had only 2 such reports since about +<p>Though it happens seldom (we've had only 3 such reports since about mid-2005), badly-formed input from a device with poor standards compliance has been known to core-dump gpsd. If your gpsd has core-dumped, try to use gdb or whatever your local symbolic debugger @@ -960,7 +960,7 @@ and remove it.</p> <p>See <a href="http://www.bitdirect.nl/?p=47">this blog post</a> for a procedure for hunting down the bad app. In this particular case it -was something called <code>buienradar</a>. +was something called <code>buienradar</code></a>. <p>On the Samsung Galaxy SIII, vendor firmware provides a "Remote Location" service with a similar bug. You can disable this through

References:

http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f
http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50
https://bugzilla.redhat.com/show_bug.cgi?id=958717
http://lists.nongnu.org/archive/html/gpsd-dev/2013-05/msg00000.html
http://seclists.org/oss-sec/2013/q2/268
http://seclists.org/oss-sec/2013/q2/274


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top