Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp210530lqb; Tue, 16 Apr 2024 13:17:21 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU4puBjexxIPX7H/Uufj+GUBBYffORR+V9J1RpuTKxargvIHlSAPotxvgerByFNYNi4TwL40dl/77xhtjYVR5mppurYpma4rUBIJQC8XQ== X-Google-Smtp-Source: AGHT+IHsbEqcuFAPe2zzvYavRJ37efSmXt+bZVqRX3jZJESRtBdY/bDqvUikhcuDjmUVPU12Nbkv X-Received: by 2002:a05:622a:3c8:b0:437:95d:4779 with SMTP id k8-20020a05622a03c800b00437095d4779mr7079505qtx.47.1713298641261; Tue, 16 Apr 2024 13:17:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713298641; cv=none; d=google.com; s=arc-20160816; b=ZlDXXD0vmf0SGqOrNg1Zq5K49cvJS1vtb5gvvwNKPjT85zPN+GeoDXPqYeScXNntxe 5vmT/yTr13lmO258KfF2vzjqG7qWm5VZ8FfSB7geISrdc3M56hsQsgxteiHZ0VBxFaES GfKguYfpCLJCzwpbVA5CAaQ1jxHQlEIR4AXsp7A3ADQMK3AECs27FO83BUfLP9TythVT CDmmGuskbjUuYADX0IWjDg6Uk/0oBUqCAJbiFz9Lo4frvfPwGnXEa2BFSeI87/SQbGrD E+Ql01006jvB2XaHS+xWS/4MI6P/hCMLPDGn+L/rPuRF2XxbaEdMq+jqAEfE3Jqo1viU WKcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:user-agent:in-reply-to:content-disposition:mime-version :references:message-id:to:from:date:delivered-to:delivered-to :reply-to:list-id:list-subscribe:list-unsubscribe:list-help :list-post:precedence:mailing-list; bh=QpKfF1NCFwEqjO9GKLs8L5wR78cR8NluVgsuPwae9Y4=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=Fvm3Ns/fKkrtG/AHuvZG1w6UVmpco+MMnYa+RNRwkK9Uxr7tNnvfNoVyhtn57EQVTv WqhdNN98wWV8dtzqrfdjw/Y0fPLAxXmu7sUFguI6y78vwQrcoYQJWIap2racAC3pFd0i IsUNvNBsejHdy0463xY4ONQTRq/gc5kweqmFLuiurUBH38CmvfjLh5dEEqRA+dwd+HN8 rzL+ivwNIO/0sA4E4hu8eF1HBiRdYC39HKoFMibZJLDe7FfC7ublkgpAE4z4K/L9O+vo OoRH+DIRa3bFcNY6xvu4J93C85Ovkft5UVhg7XvZfkS1mOKA1skN1sLsq5zle6esWgkW DB3Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30033-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30033-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id y9-20020ac85249000000b004347a268701si7437068qtn.419.2024.04.16.13.17.20 for ; Tue, 16 Apr 2024 13:17:21 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30033-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30033-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30033-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 30407 invoked by uid 550); 16 Apr 2024 20:16:57 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 28505 invoked from network); 16 Apr 2024 20:16:14 -0000 Date: Tue, 16 Apr 2024 22:16:02 +0200 From: Solar Designer To: oss-security@lists.openwall.com Message-ID: <20240416201602.GA21501@openwall.com> References: <607d5716-128f-44c5-ab52-6dde4ca6e8a4@christopher-kunz.de> <20240410211457.GA20881@openwall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240410211457.GA20881@openwall.com> User-Agent: Mutt/1.4.2.3i Subject: Re: [oss-security] New Linux LPE via GSMIOC_SETCONF_DLCI? On Wed, Apr 10, 2024 at 11:14:57PM +0200, Solar Designer wrote: > On Wed, Apr 10, 2024 at 09:56:33PM +0200, Dr. Christopher Kunz wrote: > > 1. YuriiCrimson's version (April 6-ish) > > > > It seems to use GSMIOC_SETCONF_DLCI, PoC supposedly works on current Ubuntu > > and Debians, but is stopped by LKRG. > > > > PoC and writeup are here: > > https://github.com/YuriiCrimson/ExploitGSM/tree/main > > According to YuriiCrimson: > > https://twitter.com/YuriiCrimson/status/1778163455075217443 > > "Exploit 6.4 - 6.5 using race condition in gsm_dlci_config. > Exploit for 5.15 - 6.5. using race condition in > gsm_dlci_open->gsm_modem_update->gsm_modem_upd_via_msc->gsm_control_wait. > We just waiting on gsm_cobtrol_wait and restart config for make free > dlci)). So it two zero days." > > > 3. ZDI-24-020 / CVE-2023-6546 (January) > > > > This also exploits a race condition resulting UAF in the gsm_dlci struct. > > It's a little older. > > > > Writeup and PoC: https://github.com/Nassim-Asrir/ZDI-24-020/ > > > > What do you make of this? > > So it sounds like there are 3 different bugs recently found in this same > subsystem. Perhaps someone can follow up with links to relevant commits. I'm puzzled by the lack of follow-ups on this, but anyway @FFFVR_ tweeted they also found (more) vulnerabilities in the n_gsm driver: https://twitter.com/FFFVR_/status/1778244738833080571 > It seems there has been an interesting incident related to the n_gsm > vector of the Linux kernel. > > While it's still unclear who is right and who is wrong, one thing can be > asserted: my bug will soon be patched, and I need more caffeine. > > The person who first posted about this bug, jmpeax, claims to have run > syzkaller on n_gsm. I also used syzkaller to fuzz the same vector and > found several other vulnerabilities, not just the one in question. > > I've reported the vulnerabilities that have been analyzed, and I plan to > report the remaining ones shortly. It's likely that I will soon make a > brief post about how I analyzed n_gsm, including the fuzzing process. > > https://bugzilla.kernel.org/show_bug.cgi?id=218708 > Bug 218708 - Off-by-one vulnerability when reading data from the n_gsm module > > j51569436 2024-04-11 01:56:38 UTC > An off-by-one vulnerability occurs in gsm0_receive and gsm1_receive. > I'll focus on gsm0_receive for our discussion. > > [1] : Write the value to gsm->buf, then increment gsm->count by 1. > [2] : If gsm->count == gsm->len is reached, stop reading. > > Writing a value to a buffer and then checking its length is typical of > off-by-one vulnerabilities. Finally someone willing to report these bugs upstream, and there's now a lengthy thread of comments in the above Bugzilla entry. Also relevant is this mainline commit from August 2023: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=67c37756898a which is now being backported to stable/longterm kernels: Subject: Backport of 67c37756898a ("tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc") to older stable series? (at least 6.1.y) https://lore.kernel.org/stable/ZhbiWp9DexB_gJh_@eldamar.lan/ Since there are multiple known unfixed bugs in this driver and since it poses unjustified risk on most systems anyway, here are some mitigations we can apply: 1. At kernel build time, don't enable CONFIG_N_GSM. 2. Unload and disallow auto-loading of the module: rmmod n_gsm echo blacklist n_gsm >> /etc/modprobe.d/blacklist.conf 3. Disallow auto-loading of tty line discipline modules in general: sysctl dev.tty.ldisc_autoload = 0 4. Disallow (unprivileged) user or/and network namespaces, however this is not expected to help on kernels without the commit referenced above! We recently discussed other related aspects in this thread: https://www.openwall.com/lists/oss-security/2024/04/14/1 Any one of these mitigations should be sufficient where it works, but mitigations 2 and 3 assume the driver is built as a module (not built into the kernel) and mitigation 4 assumes a (very) recent kernel. Alexander