gpsd 3.9 denial of service

2013-05-02 / 2013-05-06

Credit: Jan iankko Lieskovsky

Risk: Medium

Local: Yes

Remote: No

CVE: CVE-2013-2038

CWE: CWE-20

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Partial

  GPSD upstream has released 3.9 version:
  [1] http://lists.nongnu.org/archive/html/gpsd-dev/2013-05/msg00000.html

correcting one denial of service problem [2]:
A denial of service flaw was found in the way AIS driver packet parser of
gpsd, a service daemon for mediating access to a GPS, processed certain
malformed packets. A remote attacker could provide a specially-crafted
device input that, when processed would lead to gpsd's packet parser
crash (gpsd daemon termination).

References:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=958717

Candidate upstream patches [*]:
[3] http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f
[4] http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50

--
[*] Candidate because upstream #38511 is private currently:
    http://savannah.nongnu.org/bugs/?38511 => hard to say
    if [3] is fixing this issue, or the DoS would be caused
    by the malformed packet crash / sample, as listed in [4].
    
@Eric - Eric, could you please help us to solve this doubt? (which
of the patches is the correct one to fix the above mentioned DoS
/ security issue)

Thanks: Goes to Miroslav Lichvar for bringing this one to my attention.


diff --git a/drivers.c b/drivers.c
index 8d6ebd0..e663290 100644
--- a/drivers.c
+++ b/drivers.c
@@ -1328,6 +1328,10 @@ static bool aivdm_decode(const char *buf, size_t buflen,
 		    (1 << (7 - ais_context->bitlen % 8));
 	    }
 	    ais_context->bitlen++;
+	    if (ais_context->bitlen > sizeof(ais_context->bits)) {
+		gpsd_report(LOG_INF, "overlong AIVDM payload truncated.\n");
+		return false;
+	    }
 	}
 	/*@ +shiftnegative @*/
     }



diff --git a/NEWS b/NEWS
index 88dfb58..867b80d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,6 @@
 * Repository head
-  Armor the AIS driver against an implausible overrun attack.  Minor 
+  Armor the AIS driver against an implausible overrun attack.  A fix
+  for our first malformed-packet crash since about 2007. Minor 
   improvements to the NMEA2000 driver. New FAQ entry on how to know
   WAAS/EGNOS is working.
 
diff --git a/packet.c b/packet.c
index 566b9fd..9bb7723 100644
--- a/packet.c
+++ b/packet.c
@@ -485,9 +485,8 @@ static void nextstate(struct gps_packet_t *lexer, unsigned char c)
 	    /* not strictly correct, but helps for interpreting logfiles */
 	    lexer->state = NMEA_RECOGNIZED;
 	else if (c == '$'){
-	    /* faster recovery from missing sentence trailers */
-	    lexer->state = NMEA_DOLLAR;
-	    lexer->inbufptr += (n-1);
+	    lexer->state = GROUND_STATE;
+	    character_pushback(lexer);
 	} else if (!isprint(c))
 	    lexer->state = GROUND_STATE;
 	break;
diff --git a/test/daemon/triton400.log b/test/daemon/triton400.log
index 22352ce..9c2f107 100644
--- a/test/daemon/triton400.log
+++ b/test/daemon/triton400.log
@@ -1,9 +1,10 @@
 # Name: Magellan Triton 400
-# Chipset = SirfStar III
-# Firmware = GSW3.2.4
-# Date = 2013-03-31
-# Submitter = James Gerlach <jpgerlach@gmail.com>
-# Location = Wellington, FL, USA, 26d39mN 80d15mW
+# Chipset: SirfStar III
+# Firmware: GSW3.2.4
+# Date: 2013-03-31
+# Submitter: = James Gerlach <jpgerlach@gmail.com>
+# Location: Wellington, FL, USA, 26d39mN 80d15mW
+# Note: There's a malformed unterminated GGA packet on line 12
 $GPGSV,3,1,11,08,75,303,44,07,66,172,51,11,51,055,36,28,39,325,36*76
 $GPGSV,3,2,11,17,31,254,51,26,13,295,51,09,12,322,36,19,12,046,51*76
 $GPGSV,3,3,11,20,09,138,36,13,04,183,51,32,03,113,44,,,,*44
diff --git a/www/faq.html.in b/www/faq.html.in
index 231e201..86b5714 100644
--- a/www/faq.html.in
+++ b/www/faq.html.in
@@ -300,7 +300,7 @@ still reproducible.</p>
 
 <h3>10. If your bug core-dumps gpsd, send us a stack trace.</h3>
 
-<p>Though it happens seldom (we've had only 2 such reports since about
+<p>Though it happens seldom (we've had only 3 such reports since about
 mid-2005), badly-formed input from a device with poor standards
 compliance has been known to core-dump gpsd.  If your gpsd has
 core-dumped, try to use gdb or whatever your local symbolic debugger
@@ -960,7 +960,7 @@ and remove it.</p>
 
 <p>See <a href="http://www.bitdirect.nl/?p=47">this blog post</a> for
 a procedure for hunting down the bad app. In this particular case it
-was something called <code>buienradar</a>.
+was something called <code>buienradar</code></a>.
 
 <p>On the Samsung Galaxy SIII, vendor firmware provides a "Remote
 Location" service with a similar bug. You can disable this through

References:

http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=08edc49d8f63c75bfdfb480b083b0d960310f94f

http://git.savannah.gnu.org/cgit/gpsd.git/commit/?id=dd9c3c2830cb8f8fd8491ce68c82698dc5538f50

https://bugzilla.redhat.com/show_bug.cgi?id=958717

http://lists.nongnu.org/archive/html/gpsd-dev/2013-05/msg00000.html

http://seclists.org/oss-sec/2013/q2/268

http://seclists.org/oss-sec/2013/q2/274

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

gpsd 3.9 denial of service

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.