The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[UNIX] Linux Broadcom 5820 Cryptonet Driver Integer Overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 24 Jun 2004 19:08:41 +0200
From: SecuriTeam <[email protected]>
To: [email protected]
Subject: [UNIX] Linux Broadcom 5820 Cryptonet Driver Integer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Linux Broadcom 5820 Cryptonet Driver Integer Overflow
------------------------------------------------------------------------


SUMMARY

There exists an integer verflow in the Linux cryptonet driver.  A user 
supplied value is used to size a dynamic buffer, and this buffer is 
subsequently filled with user supplied data.

Local DoS condition and arbitrary code execution are possible through 
exploitation of the vulnerability. However, the driver is not present is 
most Linux distributions.

DETAILS

Vulnerable Systems:
 * RedHat Linux 8, kernel version 2.4.20

Note: If the driver is installed its sources can be found at:  
/usr/src/linux/drivers/crypto/bcm/

The ubsec_ioctl() function is used to setup various operating parameters 
for the device driver. One of the commands is used to setup the key being 
used for encryption. This occurs in the following code from 
/drivers/crypto/bcm/dispatch.c, line 196:
--------------------------------- Begin Code 
---------------------------------
case UBSEC_KEY_SETUP_FUNC:
    status = ubsec_keysetup(DeviceInfoList[SelectedDevice].Context, (void 
*)arg);
    break;
---------------------------------- End Code 
----------------------------------

Which calls this function found in /drivers/crypto/bcm/pkey.c, line 91:
--------------------------------- Begin Code 
---------------------------------
int ubsec_keysetup(ubsec_DeviceContext_t pContext, ubsec_key_io_t 
*pKeyIOInfo)
{
    ...snip....

1]
  copy_from_user( &KeyIOInfoForDSA,pKeyIOInfo, sizeof(KeyIOInfoForDSA));

  if((KeyIOInfoForDSA.command == UBSEC_DSA_SIGN) || 
(KeyIOInfoForDSA.command == UBSEC_DSA_VERIFY)) {
    message_alignment = DSA_MESSAGE_ALIGNMENT;
2]
    add_dsa_buf_bytes = 
KeyIOInfoForDSA.key.DSAParams.InputFragments->FragmentLength + 
DSA_MESSAGE_ALIGNMENT;
  }
   
   .......

3]
  pkey_buf = (unsigned char *) 
kmalloc((4096+add_dsa_buf_bytes),GFP_KERNEL|GFP_ATOMIC);
  pCommandContext = (CommandContext_pt)pkey_buf;
  kcmd = (ubsec_KeyCommandInfo_pt) &pCommandContext[1];
  KeyIOInfo = (ubsec_key_io_pt)&kcmd[1];
  KeyLoc = ((unsigned char *)&KeyIOInfo[1]) + message_alignment;
  
4]
  copy_from_user( KeyIOInfo, pKeyIOInfo, sizeof(*KeyIOInfo));

   ...snip...
}
---------------------------------- End Code 
----------------------------------

The last argument passed to ubsec_keysetup() is the device specific user 
supplied argument to ioctl().  It is copied into the KeyIOInfoForDSA 
variable at 1], and then used to size the buffer at 2]. The code is 
accessing a pointer embedded in the structure. The pointer references a 
memory location in user-space and dereferencing it should cause a page 
fault to occur.

The value is then added to 4096 (see 3]) when used to allocate the buffer. 
Part of this buffer is then used at 4] when the same user structure from 
1] is copied into an address further into the allocated buffer. If a 
properly calculated negative value is used for the add_dsa_buf_bytes 
variable, an integer overflow will occur when allocating the buffer at 3].

The smallest buffer that can be allocated via kmalloc() is 32 or 64 bytes, 
depending on the platform. Yet, it is still possible to overflow the 
buffer at 4]. If you take into account the size of the structure being 
copied and the fact that copying begins from offset 24 in the buffer 
(greater, depending on platform), into the allocated buffer. Depending on 
the location of the allocated buffer in the cache slab, it may be possible 
to overwrite slab control structures and execute arbitrary code. However 
most likely the overwritten memory segment will belong to some other code 
and the system will become unstable when the other code accesses it's 
rightful memory segment.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:[email protected]> 
Sean.




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру