xfrm Out-Of-Bounds Read

2017.07.12

Credit: bo Zhang

Risk: High

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Issue description:
xfrm migrate is a mechanism of kernel ipsec xfrm framework.
When dealing with XFRM_MSG_MIGRATE message, xfrm_migrate func does not
check dir value of xfrm_userpolicy_id.
This will cause out of bound access to net->xfrm.policy_bydst in
policy_hash_direct func and others when dir value exceeds
XFRM_POLICY_MAX.
The whole value of struct xfrm_userpolicy_id can be controlled by
sending netlink message, and the out of bound addr can be expected;
this may lead to potential security issue.
Affected version: linux kernel 4.12 and lower
PoC: send a crafted xfrm netlink message with type XFRM_MSG_MIGRATE
Kernel panic: this issue tiggered a kernel panic
Unable to handle kernel paging request at virtual address 04821020
pgd = ffffffc05d9ce000
[04821020] *pgd=000000009b82a003, *pud=000000009b82a003, *pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
task: ffffffc05d953100 ti: ffffffc05b82c000 task.ti: ffffffc05b82c000
PC is at xfrm_migrate+0x208/0x80c
LR is at xfrm_migrate+0x208/0x80c
pc : [<ffffffc0005f0c4c>] lr : [<ffffffc0005f0c4c>] pstate: 00000145
sp : ffffffc05b82f560
x29: ffffffc05b82f560 x28: 000000000000000a
x27: 0000000000000001 x26: ffffffc05d884298
x25: 000000000000001a x24: ffffffc000905ac4
x23: ffffffc05b82f6d8 x22: 0000000000000001
x21: ffffffc000904c40 x20: ffffffc05b82f6d8
x19: 0000000000000001 x18: 0000000000000000
x17: 0000000000000001 x16: ffffffc0004e1bf4
x15: 0000000000000000 x14: 6e202c3731203a29
x13: 657079745f67736d x12: 6c6e286570797420
x11: 2c67736d5f766365 x10: 725f726573755f6d
x9 : 726678202c677562 x8 : 64202c6b6f206573
x7 : 7261705f67736d6c x6 : ffffffc000904c40
x5 : ffffffc05b82f6b0 x4 : 000000000000005b
x3 : 0000000000000002 x2 : 000000002b5447b7
x1 : 0000000000000201 x0 : 0000000004821020
PC: 0xffffffc0005f0bcc:
0bcc 6b1c001f 54fffc41 128002b4 97ed401d 2a1403e0 a94153f3 a9425bf5 a94363f7
0bec a9446bf9 a94573fb a8d17bfd d65f03c0 97ed4014 71000abf 54002220 71002abf
0c0c 54fff860 97ed400f 1100077b 6b13037f 54fff961 97ed400b f9404fb5 913a12b8
0c2c aa1803e0 9402f8d9 79405343 aa1503e0 b9407fa4 aa1a03e1 91004342 97ffecd1
0c4c f9400016 97ed3fff b40001f6 97ed3ffd aa1a03e0 910252c1 97ffee14 53001c00
0c6c 340000c0 97ed3ff7 3946e2c0 b940a3a1 6b01001f 54002bc0 97ed3ff2 f94002d6
0c8c b5fffe36 12800017 d2800016 97ed3fed b9407fa0 f9404fa1 8b20cc20 f945ec15
0cac 97ed3fe8 b40001f5 97ed3fe6 aa1a03e0 910252a1 97ffedfd 53001c00 340000c0
LR: 0xffffffc0005f0bcc:
0bcc 6b1c001f 54fffc41 128002b4 97ed401d 2a1403e0 a94153f3 a9425bf5 a94363f7
0bec a9446bf9 a94573fb a8d17bfd d65f03c0 97ed4014 71000abf 54002220 71002abf
0c0c 54fff860 97ed400f 1100077b 6b13037f 54fff961 97ed400b f9404fb5 913a12b8
0c2c aa1803e0 9402f8d9 79405343 aa1503e0 b9407fa4 aa1a03e1 91004342 97ffecd1
0c4c f9400016 97ed3fff b40001f6 97ed3ffd aa1a03e0 910252c1 97ffee14 53001c00
0c6c 340000c0 97ed3ff7 3946e2c0 b940a3a1 6b01001f 54002bc0 97ed3ff2 f94002d6
0c8c b5fffe36 12800017 d2800016 97ed3fed b9407fa0 f9404fa1 8b20cc20 f945ec15
0cac 97ed3fe8 b40001f5 97ed3fe6 aa1a03e0 910252a1 97ffedfd 53001c00 340000c0
SP: 0xffffffc05b82f4e0:
f4e0 00000001 00000000 5b82f6d8 ffffffc0 00905ac4 ffffffc0 0000001a 00000000
f500 5d884298 ffffffc0 00000001 00000000 0000000a 00000000 5b82f560 ffffffc0
f520 005f0c4c ffffffc0 5b82f560 ffffffc0 005f0c4c ffffffc0 00000145 00000000
f540 00000001 00000000 005f0c34 ffffffc0 00000000 00000080 0000005b 00000000
f560 5b82f670 ffffffc0 005fd26c ffffffc0 00000000 00000000 5b82f724 ffffffc0
f580 5d884328 ffffffc0 00000001 00000000 5b82f6b0 ffffffc0 5d884288 ffffffc0
f5a0 0000001a 00000000 0070df48 ffffffc0 00000043 00000000 000000c8 00000000
f5c0 00921f65 ffffffc0 00836737 ffffffc0 5b82f6b0 ffffffc0 00836737 0000005b
X5: 0xffffffc05b82f630:
f630 00000053 00000000 00378804 ffffffc0 5b82f660 ffffffc0 000cffb4 ffffffc0
f650 008e13d0 ffffffc0 000001c0 00000000 5b82f670 ffffffc0 005fd244 ffffffc0
f670 5b82f8a0 ffffffc0 005fe21c ffffffc0 00000011 00000000 005fd0c8 ffffffc0
f690 5d884288 ffffffc0 000002a8 00000000 5d97b900 ffffffc0 00000000 00000000
f6b0 09000000 ffffff7f 08000000 04000000 08000000 00000000 00000000 00000000
f6d0 00000003 ffff0002 7f040000 00000000 00000000 00000000 06000000 00000000
f6f0 00000000 00000000 02000000 00000000 00000000 00000000 05000000 00000000
f710 00000000 00000000 00000232 00000005 3675000a ffffffc0 007ef230 ffffffc0
X6: 0xffffffc000904bc0:
4bc0 00908348 ffffffc0 00040000 00040000 00000080 00000011 00000000 00000000
4be0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
4c00 00000010 00000000 00000001 00000000 00904c10 ffffffc0 00904c10 ffffffc0
4c20 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
4c40 00000001 00000001 00020002 00000000 00905c68 ffffffc0 00905c68 ffffffc0
4c60 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
4c80 008de0d8 ffffffc0 00000000 00000000 00000000 00000000 00000000 00000000
4ca0 00000000 00000000 00000000 00000000 f0000373 00000000 7d805a00 ffffffc0
X16: 0xffffffc0004e1b74:
1b74 f9406ab6 f94027a0 b4000396 97f17c33 aa1603e0 aa1903e1 910163a2 2a1803e3
1b94 d2800004 97fff3f8 93407c13 f9400ec0 34fffd77 f90027a0 97f17c28 f94027a0
1bb4 97f326cd 97f17c25 aa1303e0 a94157f3 a9425ff6 a94367f8 a8c97bfd d65f03c0
1bd4 97f17c1e aa1503e0 97f326c3 17ffffdd 92800113 17ffffdb 92800113 17ffffd4
1bf4 a9b77bfd 910003fd a90157f3 aa0203f5 aa0003f3 a90367f8 a9025ff6 aa0103f8
1c14 97f17c0e 37f80695 97f17c0c 2a1303e0 97f3b3a2 f27ef416 f90027a0 12000419
1c34 540005e0 97f17c05 92800af3 f94016c2 90001101 910a0021 f94027a0 eb01005f
1c54 540001c0 f90027a0 97f17bfc f94027a0 370003a0 97f17bf9 97f17bf8 97f17bf7
X20: 0xffffffc05b82f658:
f658 000001c0 00000000 5b82f670 ffffffc0 005fd244 ffffffc0 5b82f8a0 ffffffc0
f678 005fe21c ffffffc0 00000011 00000000 005fd0c8 ffffffc0 5d884288 ffffffc0
f698 000002a8 00000000 5d97b900 ffffffc0 00000000 00000000 09000000 ffffff7f
f6b8 08000000 04000000 08000000 00000000 00000000 00000000 00000003 ffff0002
f6d8 7f040000 00000000 00000000 00000000 06000000 00000000 00000000 00000000
f6f8 02000000 00000000 00000000 00000000 05000000 00000000 00000000 00000000
f718 00000232 00000005 3675000a ffffffc0 007ef230 ffffffc0 008e13d0 ffffffc0
f738 00000000 00000001 5b82f750 ffffffc0 000cc548 ffffffc0 5b82f760 ffffffc0
X21: 0xffffffc000904bc0:
4bc0 00908348 ffffffc0 00040000 00040000 00000080 00000011 00000000 00000000
4be0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
4c00 00000010 00000000 00000001 00000000 00904c10 ffffffc0 00904c10 ffffffc0
4c20 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
4c40 00000001 00000001 00020002 00000000 00905c68 ffffffc0 00905c68 ffffffc0
4c60 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
4c80 008de0d8 ffffffc0 00000000 00000000 00000000 00000000 00000000 00000000
4ca0 00000000 00000000 00000000 00000000 f0000373 00000000 7d805a00 ffffffc0
X23: 0xffffffc05b82f658:
f658 000001c0 00000000 5b82f670 ffffffc0 005fd244 ffffffc0 5b82f8a0 ffffffc0
f678 005fe21c ffffffc0 00000011 00000000 005fd0c8 ffffffc0 5d884288 ffffffc0
f698 000002a8 00000000 5d97b900 ffffffc0 00000000 00000000 09000000 ffffff7f
f6b8 08000000 04000000 08000000 00000000 00000000 00000000 00000003 ffff0002
f6d8 7f040000 00000000 00000000 00000000 06000000 00000000 00000000 00000000
f6f8 02000000 00000000 00000000 00000000 05000000 00000000 00000000 00000000
f718 00000232 00000005 3675000a ffffffc0 007ef230 ffffffc0 008e13d0 ffffffc0
f738 00000000 00000001 5b82f750 ffffffc0 000cc548 ffffffc0 5b82f760 ffffffc0
X24: 0xffffffc000905a44:
5a44 ffffffc0 005eb958 ffffffc0 00645924 ffffffc0 0064596c ffffffc0 00659f1c
5a64 ffffffc0 005eb9c4 ffffffc0 7d96a700 ffffffc0 00000000 00000000 00000000
5a84 00000000 00000000 00000000 00905210 ffffffc0 00905090 ffffffc0 008c0efc
5aa4 ffffffc0 00000000 00000000 00000000 00000000 00000000 00000000 00140014
5ac4 00000001 00000000 00000000 00905ad0 ffffffc0 00905ad0 ffffffc0 5d953100
5ae4 ffffffc0 00000000 00000000 0000000a 00000000 008bf440 ffffffc0 0051de64
5b04 ffffffc0 008e53c0 ffffffc0 00000000 00000000 00000800 00001000 6219f7e0
5b24 ffffffc0 00928188 ffffffc0 00016100 00000001 00926d00 ffffffc0 0051cf6c
X26: 0xffffffc05d884218:
4218 06000000 07000000 05000000 04000000 00000000 00000000 00000000 520f0000
4238 00000000 00000000 00000000 000800ff 00000005 000a000a 0013002c 05000000
4258 80000000 04000000 7cc50000 03000000 00000000 00000000 00000000 00000003
4278 0000000a 000e000a 07ff0000 00000001 000000d8 00010021 00000fff 00000006
4298 09000000 09000000 05000000 01000080 ff000000 00000000 00000000 00000000
42b8 01008100 0400ff07 01fe0002 0000003f 00000e98 00001105 00000008 0000005b
42d8 00110050 7f040000 00000000 00000000 00000000 06000000 00000000 00000000
42f8 00000000 02000000 00000000 00000000 00000000 05000000 00000000 00000000
X29: 0xffffffc05b82f4e0:
f4e0 00000001 00000000 5b82f6d8 ffffffc0 00905ac4 ffffffc0 0000001a 00000000
f500 5d884298 ffffffc0 00000001 00000000 0000000a 00000000 5b82f560 ffffffc0
f520 005f0c4c ffffffc0 5b82f560 ffffffc0 005f0c4c ffffffc0 00000145 00000000
f540 00000001 00000000 005f0c34 ffffffc0 00000000 00000080 0000005b 00000000
f560 5b82f670 ffffffc0 005fd26c ffffffc0 00000000 00000000 5b82f724 ffffffc0
f580 5d884328 ffffffc0 00000001 00000000 5b82f6b0 ffffffc0 5d884288 ffffffc0
f5a0 0000001a 00000000 0070df48 ffffffc0 00000043 00000000 000000c8 00000000
f5c0 00921f65 ffffffc0 00836737 ffffffc0 5b82f6b0 ffffffc0 00836737 0000005b
Call trace:
[<ffffffc0005f0c4c>] xfrm_migrate+0x208/0x80c
[<ffffffc0005fd26c>] xfrm_do_migrate+0x1a4/0x1e8
[<ffffffc0005fe21c>] xfrm_user_rcv_msg+0x1fc/0x284
[<ffffffc00053beb0>] netlink_rcv_skb+0xf8/0x12c
[<ffffffc0005fcedc>] xfrm_netlink_rcv+0x34/0x48
[<ffffffc00053b558>] netlink_unicast+0x238/0x314
[<ffffffc00053ba9c>] netlink_sendmsg+0x2fc/0x3e0
[<ffffffc0004dc11c>] sock_sendmsg+0xc4/0x100
[<ffffffc0004def70>] ___sys_sendmsg+0x3f8/0x410
[<ffffffc0004e1cb8>] SyS_sendmsg+0xc4/0x10c
Code: b9407fa4 aa1a03e1 91004342 97ffecd1 (f9400016)
---[ end trace a42942d9d5e3d64d ]---
Kernel panic - not syncing: Fatal exception in interrupt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

xfrm Out-Of-Bounds Read

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.