<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Brad Spengler <spender () grsecurity net>
Date: Thu, 25 Jul 2019 10:29:53 -0400
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,
https://twitter.com/grsecurity/status/1154397455267586050
"The only "direct" ones in hci_ath.c (ath_wakeup_ar3k) are also done in
worker context: ath_hci_uart_work(), created from ath_open(). Looks
like just a DoS then"
Thanks,
-Brad
On Thu, Jul 25, 2019 at 02:46:19PM +0200, Andrey Konovalov wrote:
On Thu, Jul 25, 2019 at 2:32 PM Vladis Dronov <vdronov () redhat com> wrote:
Hello,
It was found (by the syzkaller initially) that a 0x0 address execution is
possible as nonprivileged user in the latest Linux kernel (considering
protection measures like SMEP, vm.mmap_min_addr, etc are disabled).
The Linux kernel must have any of following config options enabled:
CONFIG_BT_HCIUART_MRVL (easy to hit)
CONFIG_BT_HCIUART_QCA (hard to hit)
CONFIG_BT_HCIUART_BCM
CONFIG_BT_HCIUART_INTEL
CONFIG_BT_HCIUART_ATH3K
The suggested fix is posted at:
https://lore.kernel.org/linux-bluetooth/20190725120909.31235-1-vdronov () redhat com/T/#u
The bug and the reproducer are public, as they were found by the syzcaller
several months ago:
https://syzkaller.appspot.com/bug?id=1b42faa2848963564a5b1b7f8c837ea7b55ffa50
CVE-2019-10207 was assigned to this bug.
$ id
uid=1000(vladis) gid=1000(vladis) groups=1000(vladis)
$ uname -r
5.2.0
$ ./hci-proto-crash 11
proto = 11
ioctl(SET_HCI_UART_PROTO): Success
[ 99.894572] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 99.897287] #PF: supervisor instruction fetch in kernel mode
[ 99.897863] #PF: error_code(0x0010) - not-present page
[ 99.898389] PGD 0 P4D 0
[ 99.899036] Oops: 0010 [#1] SMP
[ 99.899795] CPU: 2 PID: 691 Comm: kworker/u17:0 Not tainted 5.2.0 #23
[ 99.900836] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
[ 99.902912] Workqueue: hci0 hci_power_on
[ 99.903673] RIP: 0010:0x0
[ 99.904416] Code: Bad RIP value.
[ 99.905137] RSP: 0018:ffff92d8822c7d98 EFLAGS: 00010246
[ 99.906014] RAX: ffffffff97e7a3e0 RBX: ffff8af7b5dd9e00 RCX: 00000000000010b2
[ 99.907075] RDX: 00000000ffffffff RSI: ffff92d8822c7d44 RDI: ffff8af7b46c0400
[ 99.908127] RBP: ffff8af7b46c0400 R08: 0000000000000000 R09: 000000000001cb00
[ 99.909232] R10: 000000000000001e R11: 000000000001b900 R12: ffff8af7b45d4000
[ 99.910332] R13: ffff8af7b45d4a08 R14: 0000000000000000 R15: 0ffff8af7b167ad0
[ 99.911452] FS: 0000000000000000(0000) GS:ffff8af7b7880000(0000) knlGS:0000000000000000
[ 99.912709] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 99.913682] CR2: ffffffffffffffd6 CR3: 000000007060a003 CR4: 00000000001606e0
[ 99.914764] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 99.915830] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 99.916877] Call Trace:
[ 99.917538] hci_uart_set_flow_control+0x149/0x1b0
[ 99.918441] mrvl_setup+0xe/0x70
[ 99.919209] hci_dev_do_open+0x1eb/0x690
[ 99.920013] ? sched_clock+0x5/0x10
[ 99.920784] hci_power_on+0x45/0x250
[ 99.921549] ? __wake_up_common_lock+0x87/0xc0
[ 99.922399] process_one_work+0x1c4/0x3a0
[ 99.923230] worker_thread+0x45/0x3c0
[ 99.924019] kthread+0xf3/0x130
[ 99.924735] ? trace_event_raw_event_workqueue_execute_start+0xb0/0xb0
[ 99.925755] ? kthread_park+0x80/0x80
[ 99.926546] ret_from_fork+0x1f/0x30
[ 99.927399] Modules linked in:
[ 99.928152] CR2: 0000000000000000
[ 99.928882] ---[ end trace 577d1af3066a9585 ]---
Does this always happen in a worker thread? Does this therefore mean
that this is not exploitable by a local user even if vm.mmap_min_addr
and SMEP/SMAP are disabled, since the user can't mmap zero page in the
worker thread context?
Best regards,
Vladis Dronov | Red Hat, Inc. | The Core Kernel | Senior Software Engineer
Attachment:
signature.asc
Description: Digital signature
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Vladis Dronov (Jul 25)
Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Andrey Konovalov (Jul 25)
Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Vladis Dronov (Jul 25)
Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Brad Spengler (Jul 25)
Re: CVE-2019-10207: linux kernel: bluetooth: hci_uart: 0x0 address execution as nonprivileged user Vladis Dronov (Aug 02)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->