Linux visor (treo_attach) Nullpointer Dereference
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: CVE-2016-2782
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS – RHEL 7.1 Kernel crashes on invalid
USB device descriptors (visor treo_attach driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of the advisory: https://os-s.net//advisories/
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB
device requiring the visor (treo_attach) driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x82d
idProduct: 0x200
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
The treo_attach function does not use the num_ports (struct usb_serial) value
for any kind of sanity checks during the initialization process. Due to an
incomplete sanity check, the driver could try to dereference a null-pointer if
a malformed device-descriptor is presented (zero-value for bNumEndpoints or no
required endpoint-descriptors is provided).
This results in a crash of the system.
****
...
554 #define COPY_PORT(dest, src) \
555 do { \
556 int i; \
557 \
558 for (i = 0; i < ARRAY_SIZE(src->read_urbs); ++i) { \
559 dest->read_urbs[i] = src->read_urbs[i]; \ /* Possible
Nullpointer-Dereference */
560 dest->read_urbs[i]->context = dest; \
561 dest->bulk_in_buffers[i] = src->bulk_in_buffers[i]; \
562 } \
563 dest->read_urb = src->read_urb; \
564 dest->bulk_in_endpointAddress = src->bulk_in_endpointAddress;\
565 dest->bulk_in_buffer = src->bulk_in_buffer; \
566 dest->bulk_in_size = src->bulk_in_size; \
567 dest->interrupt_in_urb = src->interrupt_in_urb; \
568 dest->interrupt_in_urb->
569 dest->interrupt_in_
570 src->interrupt_in_
571 dest->interrupt_in_buffer = src->interrupt_in_buffer; \
572 } while (0);
573
574 swap_port = kmalloc(sizeof(*swap_port), GFP_KERNEL);
575 if (!swap_port)
576 return -ENOMEM;
577 COPY_PORT(swap_port, serial->port[0]); /* no sanity-check! */
578 COPY_PORT(serial->port[0], serial->port[1]); /* no sanity-check! */
579 COPY_PORT(serial->port[1], swap_port); /* no sanity-check! */
...
****
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x3
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81
bmAttribut: 0x3
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1
bmAttribut: 0x2
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82
bmAttribut: 0x1
wMaxPacketSize: 0x4
bInterval: 0xc
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
This bug was fixed upstream. A CVE number was not assigned.
References:
https://bugzilla.redhat.com/
http://git.kernel.org/cgit/
Kernel Stacktrace:
[ 35.176832] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 35.400183] usb 1-1: New USB device found, idVendor=082d, idProduct=0200
[ 35.407780] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 35.417186] usb 1-1: Product: ĉ
[ 35.421846] usb 1-1: Manufacturer: ĉ
[ 35.425686] usb 1-1: SerialNumber: %
[ 35.438608] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc
says 96 microframes
[ 35.493316] usbcore: registered new interface driver visor
[ 35.503150] usbserial: USB Serial support registered for Handspring Visor /
Palm OS
[ 35.512980] usbserial: USB Serial support registered for Sony Clie 5.0
[ 35.521056] usbserial: USB Serial support registered for Sony Clie 3.5
[ 35.535245] visor 1-1:1.0: Handspring Visor / Palm OS converter detected
[ 35.542409] BUG: unable to handle kernel NULL pointer dereference at
00000000000000b0
[ 35.543244] IP: [<ffffffffa0393651>] treo_attach+0x61/0x340 [visor]
[ 35.543244] PGD 0
[ 35.543244] Oops: 0002 [#1] SMP
[ 35.543244] Modules linked in: visor(+) ip6t_rpfilter ip6t_REJECT ipt_REJECT
xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables
ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat
nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
iptable_mangle iptable_security iptable_raw iptable_filter ip_tables bochs_drm
ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper drm pcspkr i2c_piix4
i2c_core serio_raw parport_pc parport xfs libcrc32c sd_mod sr_mod crc_t10dif
cdrom crct10dif_common ata_generic pata_acpi ata_piix libata e1000 floppy
dm_mirror dm_region_hash dm_log dm_mod
[ 35.543244] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 35.543244] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 35.543244] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 35.543244] RIP: 0010:[<ffffffffa0393651>] [<ffffffffa0393651>]
treo_attach+0x61/0x340 [visor]
[ 35.543244] RSP: 0018:ffff88000bd23a78 EFLAGS: 00010286
[ 35.543244] RAX: ffff88000003c000 RBX: ffff88000af979c0 RCX: 000000000000a0e2
[ 35.543244] RDX: 0000000000000000 RSI: 00000000000000d0 RDI: ffff88000e401400
[ 35.543244] RBP: ffff88000bd23a80 R08: 00000000000164c0 R09: ffff88000e401400
[ 35.543244] R10: ffffffffa0393636 R11: ffff88000bcd0000 R12: 0000000000000404
[ 35.543244] R13: ffff88000be6b000 R14: ffff88000af979c0 R15: ffffffffa0395400
[ 35.543244] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 35.543244] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 35.543244] CR2: 00000000000000b0 CR3: 000000000c51f000 CR4:
00000000000006f0
[ 35.543244] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 35.543244] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 35.543244] Stack:
[ 35.543244] ffff88000bcd0090 ffff88000bd23c18 ffffffff8145fed1 0000000000000007
[ 35.543244] 000000020bd23af8 ffff88000c525830 0000000100000000 ffffffffa0395400
[ 35.543244] 0000010000000001 ffff88000bcd0000 0000000000000100
ffff88000bcd0090
[ 35.543244] Call Trace:
[ 35.543244] [<ffffffff8145fed1>] usb_serial_probe+0xdb1/0x1230
[ 35.543244] [<ffffffff812d649c>] ? ida_get_new_above+0x7c/0x2a0
[ 35.543244] [<ffffffff811aba6a>] ? kmem_cache_alloc+0x1ba/0x1d0
[ 35.543244] [<ffffffff8123e5b2>] ? sysfs_addrm_finish+0x42/0xe0
[ 35.543244] [<ffffffff8123e391>] ? __sysfs_add_one+0x61/0x100
[ 35.543244] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/
[ 35.543244] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 35.543244] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 35.543244] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 35.543244] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 35.543244] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 35.543244] [<ffffffff8145ec4b>] usb_serial_register_drivers+
[ 35.543244] [<ffffffffa0398000>] ? 0xffffffffa0397fff
[ 35.543244] [<ffffffffa039801e>] usb_serial_module_init+0x1e/
[ 35.543244] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 35.543244] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 35.543244] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 35.543244] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+
[ 35.543244] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 35.543244] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 35.543244] Code: e1 ba 50 05 00 00 be d0 00 00 00 e8 4a 84 e1 e0 48 85 c0
0f 84 e1 02 00 00 48 8b 53 20 48 8b 92 b8 01 00 00 48 89 90 b8 01 00 00 <48>
89 82 b0 00 00 00 48 8b 53 20 48 8b 92 a8 01 00 00 48 89 90
[ 35.543244] RIP [<ffffffffa0393651>] treo_attach+0x61/0x340 [visor]
[ 35.543244] RSP <ffff88000bd23a78>
[ 35.543244] CR2: 00000000000000b0
[ 35.973188] ---[ end trace b239663354a1c556 ]---
[ 35.978862] Kernel panic - not syncing: Fatal exception
[ 35.979835] drm_kms_helper: panic occurred, switching back to text console
Komentarų nėra:
Rašyti komentarą