[PATCH] nvram: Fix root triggerable integer overflow crash

From: Michael Buesch
Date: Fri Jul 17 2009 - 20:57:49 EST

Next message: Carlos R. Mafra: "Re: kernel stuck at trying to change CPU resolution."
Previous message: Andrew Morton: "Re: [PATCH] kernel.printk.c - ensure that "console enabled"messages are printed on the console"
Next in thread: Henrique de Moraes Holschuh: "Re: [PATCH] nvram: Fix root triggerable integer overflow crash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following patch fixes a root triggerable integer overflow based kernel crash.

The nvram_write() file operation subtracts the loff_t file offset from NVRAM_BYTES
without checks. This might result in an overflow of the integer. That value
is used for bounds checking of the "count", which is the buffer size to be copied
from userspace to the kernel stack.
So root can render the "count" check useless by overflowing the loff_t offset (which is "i").
copy_from_user() will then copy arbitrary amounts of memory to the kernel stack.

The userspace program to crash the kernel is as follows:
(Be careful when running the testcase. It might trash your NVRAM)

#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#define NVRAM_BYTES 128

int main(void)
{
ssize_t res;
int fd;
char *buf;
unsigned int bufsize;

fd = open("/dev/nvram", O_RDWR);
if (fd < 0) {
printf("Could not open nvram device\n");
return 1;
}
bufsize = NVRAM_BYTES + 100;
buf = malloc(bufsize);
if (!buf) {
printf("Out of memory\n");
return 1;
}
memset(buf, 0, bufsize);
res = pwrite(fd, buf, bufsize, NVRAM_BYTES + 1);
if (res == bufsize)
printf("NVRAM write succeed\n");
else
printf("NVRAM write failed\n");
}

Signed-off-by: Michael Buesch <mb@xxxxxxxxx>

---

This bug probably is exploitable by overwriting the function return address or something
like that. But let's hope there's no distribution out there with user write permissions
on the /dev/nvram node. So it's probably only exploitable by root.
Comments on the exploitability are welcome. :)

Index: linux-2.6.30/drivers/char/nvram.c
===================================================================
--- linux-2.6.30.orig/drivers/char/nvram.c 2009-07-18 01:29:50.000000000 +0200
+++ linux-2.6.30/drivers/char/nvram.c 2009-07-18 02:47:35.000000000 +0200
@@ -267,6 +267,8 @@
unsigned char *tmp;
int len;

+ if (i >= NVRAM_BYTES)
+ return -EINVAL;
len = (NVRAM_BYTES - i) < count ? (NVRAM_BYTES - i) : count;
if (copy_from_user(contents, buf, len))
return -EFAULT;

--
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Carlos R. Mafra: "Re: kernel stuck at trying to change CPU resolution."
Previous message: Andrew Morton: "Re: [PATCH] kernel.printk.c - ensure that "console enabled"messages are printed on the console"
Next in thread: Henrique de Moraes Holschuh: "Re: [PATCH] nvram: Fix root triggerable integer overflow crash"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]