[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c




> On 25 Aug 2021, at 03:40, butt3rflyh4ck <butterflyhuangxx AT gmail.com> wrote:
> 
> Hi, There was another out-of-bound read bug in qrtr_endpoint_post in
> net/qrtr/qrtr.c in 5.14.0-rc6+ and reproduced it.
> 
> This check in  qrtr_endpoint_post was incomplete, did not consider size is 0:
> ```
> if (len != ALIGN(size, 4) + hdrlen)
>                goto err;
> ```
> if size from qrtr_hdr is 0, the result of ALIGN(size, 4) will be 0,
> In case of len == hdrlen and size == 0 in header this check won't fail and
> ```
> if (cb->type == QRTR_TYPE_NEW_SERVER) { /* Remote node endpoint can
> bridge other distant nodes */
>             const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
>             qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
> }
> ```
> will also read out of bound from data, which is hdrlen allocated block.
> 
> 
> #analyze and some details
> https://lists.openwall.net/netdev/2021/08/17/124
> 
> #patch
> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e78c597c3eb
> now not available upstream.

Hi,

Did you ask for a CVE for this bug?

jch

> 
> #Timeline
> *2021/8/17 - Vulnerability reported to netdev AT vger.kernel.org.
> *2021/8/20 - Vulnerability confirmed and patched.
> *2021/8/23 - Vulnerability reported to secalert AT redhat.com.
> *2021/8/25 - Opened on oss-security AT lists.openwall.com.
> 
> #Credit
> Active Defense Lab of Venustech.
> 
> 
> Regards,
> butt3rflyh4ck.
> 
> --
> Active Defense Lab of Venustech

Attachment: signature.asc
Description: Message signed with OpenPGP