Date: 24 Jun 2004 19:08:41 +0200
From: SecuriTeam <support@securiteam.com>
To: list@securiteam.com
Subject: [UNIX] Linux Broadcom 5820 Cryptonet Driver Integer Overflow
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linux Broadcom 5820 Cryptonet Driver Integer Overflow
------------------------------------------------------------------------
SUMMARY
There exists an integer verflow in the Linux cryptonet driver. A user
supplied value is used to size a dynamic buffer, and this buffer is
subsequently filled with user supplied data.
Local DoS condition and arbitrary code execution are possible through
exploitation of the vulnerability. However, the driver is not present is
most Linux distributions.
DETAILS
Vulnerable Systems:
* RedHat Linux 8, kernel version 2.4.20
Note: If the driver is installed its sources can be found at:
/usr/src/linux/drivers/crypto/bcm/
The ubsec_ioctl() function is used to setup various operating parameters
for the device driver. One of the commands is used to setup the key being
used for encryption. This occurs in the following code from
/drivers/crypto/bcm/dispatch.c, line 196:
--------------------------------- Begin Code
---------------------------------
case UBSEC_KEY_SETUP_FUNC:
status = ubsec_keysetup(DeviceInfoList[SelectedDevice].Context, (void
*)arg);
break;
---------------------------------- End Code
----------------------------------
Which calls this function found in /drivers/crypto/bcm/pkey.c, line 91:
--------------------------------- Begin Code
---------------------------------
int ubsec_keysetup(ubsec_DeviceContext_t pContext, ubsec_key_io_t
*pKeyIOInfo)
{
...snip....
1]
copy_from_user( &KeyIOInfoForDSA,pKeyIOInfo, sizeof(KeyIOInfoForDSA));
if((KeyIOInfoForDSA.command == UBSEC_DSA_SIGN) ||
(KeyIOInfoForDSA.command == UBSEC_DSA_VERIFY)) {
message_alignment = DSA_MESSAGE_ALIGNMENT;
2]
add_dsa_buf_bytes =
KeyIOInfoForDSA.key.DSAParams.InputFragments->FragmentLength +
DSA_MESSAGE_ALIGNMENT;
}
.......
3]
pkey_buf = (unsigned char *)
kmalloc((4096+add_dsa_buf_bytes),GFP_KERNEL|GFP_ATOMIC);
pCommandContext = (CommandContext_pt)pkey_buf;
kcmd = (ubsec_KeyCommandInfo_pt) &pCommandContext[1];
KeyIOInfo = (ubsec_key_io_pt)&kcmd[1];
KeyLoc = ((unsigned char *)&KeyIOInfo[1]) + message_alignment;
4]
copy_from_user( KeyIOInfo, pKeyIOInfo, sizeof(*KeyIOInfo));
...snip...
}
---------------------------------- End Code
----------------------------------
The last argument passed to ubsec_keysetup() is the device specific user
supplied argument to ioctl(). It is copied into the KeyIOInfoForDSA
variable at 1], and then used to size the buffer at 2]. The code is
accessing a pointer embedded in the structure. The pointer references a
memory location in user-space and dereferencing it should cause a page
fault to occur.
The value is then added to 4096 (see 3]) when used to allocate the buffer.
Part of this buffer is then used at 4] when the same user structure from
1] is copied into an address further into the allocated buffer. If a
properly calculated negative value is used for the add_dsa_buf_bytes
variable, an integer overflow will occur when allocating the buffer at 3].
The smallest buffer that can be allocated via kmalloc() is 32 or 64 bytes,
depending on the platform. Yet, it is still possible to overflow the
buffer at 4]. If you take into account the size of the structure being
copied and the fact that copying begins from offset 24 in the buffer
(greater, depending on platform), into the allocated buffer. Depending on
the location of the allocated buffer in the cache slab, it may be possible
to overwrite slab control structures and execute arbitrary code. However
most likely the overwritten memory segment will belong to some other code
and the system will become unstable when the other code accesses it's
rightful memory segment.
ADDITIONAL INFORMATION
The information has been provided by <mailto:infamous41md@hotpop.com>
Sean.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
