Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754948AbbEMSe3 (ORCPT ); Wed, 13 May 2015 14:34:29 -0400 Received: from frisell.zx2c4.com ([192.95.5.64]:55022 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754921AbbEMSe0 (ORCPT ); Wed, 13 May 2015 14:34:26 -0400 From: "Jason A. Donenfeld" To: shigekatsu.tateno@atmel.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, oss-security@lists.openwall.com Cc: "Jason A. Donenfeld" Subject: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Date: Wed, 13 May 2015 20:33:30 +0200 Message-Id: <1431542014-3239-1-git-send-email-Jason@zx2c4.com> X-Mailer: git-send-email 2.3.6 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2795 Lines: 62 The ozwpan driver accepts network packets, parses them, and converts them into various USB functionality. There are numerous security vulnerabilities in the handling of these packets. Two of them result in a memcpy(kernel_buffer, network_packet, -length), one of them is a divide-by-zero, and one of them is a loop that decrements -1 until it's zero. I've written a very simple proof-of-concept for each one of these vulnerabilities to aid with detecting and fixing them. The general operation of each proof-of-concept code is: - Load the module with: # insmod ozwpan.ko g_net_dev=eth0 - Compile the PoC with ozprotocol.h from the kernel tree: $ cp /path/to/linux/drivers/staging/ozwpan/ozprotocol.h ./ $ gcc ./poc.c -o ./poc - Run the PoC: # ./poc eth0 [mac-address] These PoCs should also be useful to the maintainers for testing out constructing and sending various other types of malformed packets against which this driver should be hardened. Please assign CVEs for these vulnerabilities. I believe the first two patches of this set can receive one CVE for both, and the remaining two can receive one CVE each. On a slightly related note, there are several other vulnerabilities in this driver that are worth looking into. When ozwpan receives a packet, it casts the packet into a variety of different structs, based on the value of type and length parameters inside the packet. When making these casts, and when reading bytes based on this length parameter, the actual length of the packet in the socket buffer is never actually consulted. As such, it's very likely that a packet could be sent that results in the kernel reading memory in adjacent buffers, resulting in an information leak, or from unpaged addresses, resulting in a crash. In the former case, it may be possible with certain message types to actually send these leaked adjacent bytes back to the sender of the packet. So, I'd highly recommend the maintainers of this driver go branch-by-branch from the initial rx function, adding checks to ensure all reads and casts are within the bounds of the socket buffer. Jason A. Donenfeld (4): ozwpan: Use proper check to prevent heap overflow ozwpan: Use unsigned ints to prevent heap overflow ozwpan: divide-by-zero leading to panic ozwpan: unchecked signed subtraction leads to DoS drivers/staging/ozwpan/ozhcd.c | 8 ++++---- drivers/staging/ozwpan/ozusbif.h | 4 ++-- drivers/staging/ozwpan/ozusbsvc1.c | 11 +++++++++-- 3 files changed, 15 insertions(+), 8 deletions(-) -- 2.3.6 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/