Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2020-14386: Linux kernel: af_packet.c vulnerability

Related Vulnerabilities: CVE-2020-14386  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2020-14386: Linux kernel: af_packet.c vulnerability

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Or Cohen &lt;orcohen () paloaltonetworks com&gt;

Date: Thu, 3 Sep 2020 20:16:15 +0300

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,
This is an announcement of CVE-2020-14386.

I also reported the issue netdev () vger kernel org and I'm waiting for
approval of my proposed patch.

The report is as follows: ( a proposed patch and a reproducer are attached)

I discovered a bug which leads to a memory corruption in
(net/packet/af_packet.c). It can be exploited to gain root privileges
from unprivileged processes.

To create AF_PACKET sockets you need CAP_NET_RAW in your network
namespace, which can be acquired by unprivileged processes on systems
where unprivileged namespaces are enabled (Ubuntu, Fedora, etc).

I discovered the vulnerability while auditing the 5.7 kernel sources.

The bug occurs in tpacket_rcv function, when calculating the netoff
variable (unsigned short), po-&gt;tp_reserve (unsigned int) is added to
it which can overflow netoff so it gets a small value.

macoff is calculated using: "macoff = netoff - maclen", we can control
macoff so it will receive a small value (specifically, smaller then
sizeof(struct virtio_net_hdr)).

Later, when running the following code:
...
if (do_vnet &amp;&amp;
   virtio_net_hdr_from_skb(skb, h.raw + macoff -
sizeof(struct virtio_net_hdr),
...

If do_vnet is set, and because macoff &lt; sizeof(struct virtio_net_hdr)
a pointer to a memory area before the h.raw buffer will be sent to
virtio_net_hdr_from_skb. This can lead to an out-of-bounds write of
1-10 bytes, controlled by the user.

The h.raw buffer is allocated in alloc_pg_vec and it's size is
controlled by the user.

The stack trace is as follows at the time of the crash: ( linux v5.7 )

#0  memset_erms () at arch/x86/lib/memset_64.S:66
#1  0xffffffff831934a6 in virtio_net_hdr_from_skb
(little_endian=&lt;optimized out&gt;, has_data_valid=&lt;optimized out&gt;,
    vlan_hlen=&lt;optimized out&gt;, hdr=&lt;optimized out&gt;, skb=&lt;optimized
out&gt;) at ./include/linux/virtio_net.h:134
#2  tpacket_rcv (skb=0xffff8881ef539940, dev=0xffff8881de534000,
pt=&lt;optimized out&gt;, orig_dev=&lt;optimized out&gt;)
        at net/packet/af_packet.c:2287
#3  0xffffffff82c52e47 in dev_queue_xmit_nit (skb=0xffff8881ef5391c0,
dev=&lt;optimized out&gt;) at net/core/dev.c:2276
#4  0xffffffff82c5e3d4 in xmit_one (more=&lt;optimized out&gt;,
txq=&lt;optimized out&gt;, dev=&lt;optimized out&gt;,
            skb=&lt;optimized out&gt;) at net/core/dev.c:3473
#5  dev_hard_start_xmit (first=0xffffc900001c0ff6, dev=0x0
&lt;fixed_percpu_data&gt;, txq=0xa &lt;fixed_percpu_data+10&gt;,
    ret=&lt;optimized out&gt;) at net/core/dev.c:3493
#6  0xffffffff82c5fc7e in __dev_queue_xmit (skb=0xffff8881ef5391c0,
sb_dev=&lt;optimized out&gt;) at net/core/dev.c:4052
#7  0xffffffff831982d3 in packet_snd (len=65536, msg=&lt;optimized out&gt;,
sock=&lt;optimized out&gt;) 0001-net-packet-fix-overflow-in-tpacket_rcv
at net/packet/af_packet.c:2979
#8  packet_sendmsg (sock=&lt;optimized out&gt;, msg=&lt;optimized out&gt;,
len=65536) at net/packet/af_packet.c:3004
#9  0xffffffff82be09ed in sock_sendmsg_nosec (msg=&lt;optimized out&gt;,
sock=&lt;optimized out&gt;) at net/socket.c:652
#10 sock_sendmsg (sock=0xffff8881e8ff56c0, msg=0xffff8881de56fd88) at
net/socket.c:672

Files attached:
A proposed patch - 0001-net-packet-fix-overflow-in-tpacket_rcv.patch
A reproducer for the bug - trigger_bug.c

We are currently working on an exploit for getting root privileges
from unprivileged context using this bug.

Timeline:
* 9.2.20 - Vulnerability reported to security () kernel org and
linux-distros () vs openwall org.
* 9.3.20 - CVE-2020-14386 assigned.
* 9.3.20 - Vulnerability reported to netdev.

Or Cohen
Palo Alto Networks
Attachment:
0001-net-packet-fix-overflow-in-tpacket_rcv.patch
Description: 
Attachment:
trigger_bug.c
Description: 

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2020-14386: Linux kernel: af_packet.c vulnerability Or Cohen (Sep 03)

Re: CVE-2020-14386: Linux kernel: af_packet.c vulnerability Solar Designer (Sep 04)

Re: CVE-2020-14386: Linux kernel: af_packet.c vulnerability Kai Lüke (Sep 10)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started