oss-sec mailing list archives

CVE-2016-8632 -- Linux kernel: tipc_msg_build() doesn't validate MTU that can trigger heap overflow

From: "Qian Zhang" <tyrande000 () gmail com>
Date: Fri, 11 Nov 2016 10:49:23 +0800

Hi all,
 
Recently I found a flaw in the TIPC networking subsystem which could allow for memory corruption and possible privilege 
escalation (CVE-2016-8632).
I made this post to oss-sec for outlining the flaw and letting people know the CVE.
 
First upstream patch(it hasn't been pushed upstream yet):
https://www.mail-archive.com/netdev () vger kernel org/msg133205.html
 

UPDATE
-----------
Forgot to add CVE Assignment Team to CC list in the last mail.


VULNERABILITY
-----------------------
Recently i took a glance for function tipc_msg_build() at net/tipc/msg.c:244 on linux kernel 4.8.1.
It seems like tipc_msg_build() doesn't validate the parameter pktmax(MTU) passed from tipc_sendmcast(), and if I could 
change this value lower than (INT_H_SIZE + mhsz), It maybe can trigger heap overflow in skb->data.
 
static int tipc_sendmcast(struct  socket *sock, struct tipc_name_seq *seq,
                  struct msghdr *msg, size_t dsz, long timeo) 
{
         . . .
 
new_mtu:
         mtu = tipc_bcast_get_mtu(net);
         rc = tipc_msg_build(mhdr, msg, 0, dsz, mtu, &pktchain);
 
         . . .
}
 
int tipc_msg_build(struct tipc_msg *mhdr, struct msghdr *m,
                      int offset, int dsz, int pktmax, struct sk_buff_head *list)
{
         int mhsz = msg_hdr_sz(mhdr);
         int msz = mhsz + dsz;
         int pktno = 1;
         int pktsz;
         int pktrem = pktmax;
         int drem = dsz;
         struct tipc_msg pkthdr;
         struct sk_buff *skb;
         char *pktpos;
         int rc;
 
         msg_set_size(mhdr, msz);
 
         . . .
 
         /* Prepare first fragment */
         skb = tipc_buf_acquire(pktmax);
         if (!skb)
                   return -ENOMEM;
         skb_orphan(skb);
         __skb_queue_tail(list, skb);
         pktpos = skb->data;
         skb_copy_to_linear_data(skb, &pkthdr, INT_H_SIZE);
         pktpos += INT_H_SIZE;
         pktrem -= INT_H_SIZE;
         skb_copy_to_linear_data_offset(skb, INT_H_SIZE, mhdr, mhsz);
         pktpos += mhsz;
         pktrem -= mhsz;
 
         . . .
}
 
The MTU value can obtained from tipc_bcast_get_mtu(), and this value can be settled by tipc_link_set_mtu(), I search 
around withing the source code of 4.8.1, founded that only tipc_bcbase_select_primary() invokes tipc_link_set_mtu().
 
static void tipc_bcbase_select_primary(struct net *net)
{
         . . .
 
         for (i = 0; i < MAX_BEARERS; i++) {
                   if (!bb->dests[i])
                            continue;
 
                   mtu = tipc_bearer_mtu(net, i);
                   if (mtu < tipc_link_mtu(bb->link))
                            tipc_link_set_mtu(bb->link, mtu);
 
                   . . .
         }
}
 
int tipc_bearer_mtu(struct net *net, u32 bearer_id)
{
         int mtu = 0;
         struct tipc_bearer *b;
 
         rcu_read_lock();
         b = rcu_dereference_rtnl(tipc_net(net)->bearer_list[bearer_id]);
         if (b)
                   mtu = b->mtu;
         rcu_read_unlock();
         return mtu;
}
 
Obviously tipc_bearer_mtu() return MTU value by object tipc_bearer which directly inherited from net device MTU.(eth0 
MTU on my situation)
 
 
INFO
-------
Red Hat Product Security has assigned CVE-2016-8632 to this vulnerability.
This issue may cause memory corruption and even escalate privilege if we layout the appropriate heap space by any user 
with CAP_NET_ADMIN.
 
 
AFFECTED VERSION
---------------------------
I use kernel 4.6.2 x86_64 to reproduce the issue, but it also seems like vulnerable in the latest kernel 
version(4.9-rc4).


SOLUTION
---------------
First upstream patch:
https://www.mail-archive.com/netdev () vger kernel org/msg133205.html
 
 
CREDITS
------------
This vulnerability was found by Qian Zhang from MarvelTeam Qihoo 360.
 
 
On Mon, Nov 7, 2016 at 9:29 AM, Red Hat Product Security <secalert () redhat com> wrote:

Gday,

I've asked our team to assign you one from the internal pool. Please, use CVE-2016-8632.
The next step is usually making a post explaining this issue to OSS-sec list. Ben (upstream) mentions that this patch 
is already public ( https://www.mail-archive.com/netdev () vger kernel org/msg133205.html ) I was planning to 
unembargo this flaw.

The next step as we discussed would be for you to make a post to oss-sec outlining the flaw and letting people know 
the CVE. Please make the post to oss-sec explaining the flaw and referencing the first upstream patch.
https://www.mail-archive.com/netdev () vger kernel org/msg133205.html

Thanks, let me know if I can help.

Wade Mealing

Current thread:

CVE-2016-8632 -- Linux kernel: tipc_msg_build() doesn't validate MTU that can trigger heap overflow tyrande000 () gmail com (Nov 08)
- <Possible follow-ups>
- CVE-2016-8632 -- Linux kernel: tipc_msg_build() doesn't validate MTU that can trigger heap overflow Qian Zhang (Nov 10)