Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Linux kernel: heap out of bounds write in nf_dup_netdev.c since 5.4

Related Vulnerabilities: CVE-2022-25636  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Linux kernel: heap out of bounds write in nf_dup_netdev.c since 5.4

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Salvatore Bonaccorso &lt;carnil () debian org&gt;

Date: Tue, 22 Feb 2022 07:35:10 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,

On Mon, Feb 21, 2022 at 08:38:23PM +0000, Nick Gregory wrote:
There is a heap out of bounds write in the function nft_fwd_dup_netdev_offload (nf_dup_netdev.c). This was introduced 
in 5.4-rc1 by 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be2861dc36d77ff3778979b9c3c79ada4affa131,
 and is fixed by 
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=b1a5983f56e371046dcf164f90bfaf704d2b89f6. 
I have created a sample LPE targeting Ubuntu 21.10 with KASLR disabled.

In nft_fwd_dup_netdev_offload, ctx-&gt;num_actions++ is used to offset into the flow-&gt;rule-&gt;action.entries array 
(nf_dup_netdev.c:67) when setting up dup or fwd flow rules on a chain with hardware offload enabled. However there is 
a mismatch between the number of times the increment is called vs. the number of allocated entries. The allocated 
array size is based on the number of nftables expressions that have expr.offload_flags&amp;NFT_OFFLOAD_F_ACTION 
(nf_tables_offload.c:97), but only the immediate expression type has this (not dup or fwd). It's possible to manually 
create a rule with dup/fwd expressions that don't have a corresponding/preceding immediate, leading to an undersized 
entries array, and an arbitrary number of out of bounds array writes. Despite being in code dealing with hardware 
offload, this is reachable when targeting network devices that don't have offload functionality (e.g. lo) as the bug 
is triggered before the rule creation fails. Additionally, while nftables requires CAP_NET_ADMIN, we can unshare into 
a new network namespace to get this as a (normally) unprivileged user. The reproducer code below demonstrates all of 
this, and will likely immediately panic the system.

This can be turned into kernel ROP/local privilege escalation without too much difficulty, as one of the values that 
is written out of bounds is conveniently a pointer to a net_device structure. There are many opportunities for one of 
the OOB writes to land in another heap allocated structure which then misuses it (type confusion, freeing it, etc.). 
Additionally, an OOB write could be landed in a buffer returned to userland, leaking the address of the net_device 
allocation out.

This isse seems to have CVE-2022-25636 assigned.

Regards,
Salvatore

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Linux kernel: heap out of bounds write in nf_dup_netdev.c since 5.4 Nick Gregory (Feb 21)

Re: Linux kernel: heap out of bounds write in nf_dup_netdev.c since 5.4 Salvatore Bonaccorso (Feb 21)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started