Advertisement

Linux 4.6 Double-Fetch Race Condition / Buffer Overflow

CVE	Category	Price	Severity
CVE-XXXX-XXXX	CWE-XXX	N/A	Critical

Author	Risk	Exploitation Type	Date
Unknown	High	Local	2016-07-06

CVSS	EPSS	EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Requirements	Present	AT	The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include: A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful. Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Confidentiality Impact to the Vulnerable System	High	VC	There is a total loss of confidentiality, resulting in all information within the Vulnerable System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
Availability Impact to the Vulnerable System	High	VI	There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Vulnerable System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Vulnerable System.
Availability Impact to the Vulnerable System	High	VA	There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Vulnerable System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the Vulnerable System (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
Subsequent System Confidentiality Impact	Negligible	SC	There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System.
Integrity Impact to the Subsequent System	None	SI	There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System.
Availability Impact to the Subsequent System	None	SA	There is no loss of availibility within the Subsequent System or all availibility impact is constrained to the Vulnerable System.

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016070029

Below is a copy:

Linux 4.6 Double-Fetch Race Condition / Buffer OverflowHi,

I found this double-fetch bug in Linux-4.6/drivers/platform/chrome/cros_ec_dev.c  when I was inspecting the source code.

In function ec_device_ioctl_xcmd(), the driver fetches user space data by pointer arg via copy_from_user(), and this happens twice at line 137 and line 145 respectively. The first fetched value (stored in u_cmd) is used to get the in_size and out_size elements and allocation a buffer (s_cmd) at line 140 so as to copy the whole message to driver later at line 145, which means the copy size of the whole messages_cmdis based on the old value (u_cmd.outside) that came from the first fetch. Besides, the whole message copied at the second fetch also contains the elements of in_size and out_size, which we call as the new values. The new values from the second fetch might be changed by another user thread under race condition, which will result in a double-fetch bug when the inconsistent values are used.

We can see this happening by tracking how the whole message from the second fetch is used. First of all, s_cmd is passed to cros_ec_cmd_xferfor further process at line 151. While within cros_ec_cmd_xferin file cros_ec_proto.c, msg is firstly used for some validity checking, then again passed to function send_command() at line 377. Although msg->outsize and msg->insize are checked here, they are only checked for vialidity by comparing with some max values, rather than checking the consistency to prevent double-fetch bug. Then we step into send_command() at line 58 of file cros_ec_proto.c, and msg is passed to ec_dev->pkt_xfer(ec_dev, msg) and ec_dev->cmd_xfer(ec_dev, msg) respectively. These two are actually pointers to function cros_ec_pkt_xfer_i2cand cros_ec_cmd_xfer_i2crespectively. 

In function cros_ec_cmd_xfer_i2c(line 187 of cros_ec_i2c.c), msg->outsize is used again  without checking to control a loop (line233), if msg->outsize is changed to a greater value than the original one, memory access msg->data[i] at line 234 will beyond array boundary. While for cros_ec_pkt_xfer_i2c(), things are similar, except the loop moves into cros_ec_prepare_tx() at line 98.

I noticed there were some checking during the tracking, however, the checking only compared the value with the max value, such as BUG_ON(msg->outsize > EC_PROTO2_MAX_PARAM_SIZE)and this does not guarantee the consistency of the value. As long as the value is changed to a bigger value but not greater than the max value under race condition, problems still happen. When the message is switched to a longer one after the first fetch, only part of the message will be copied to the kernel by the second fetch based on the old value of size. However, when using the message, based on the size value of the new message, it would be used as a longer message, and memory access will beyond the array boundary.

I am looking forward to a reply to confirm this, thank you!

Kind regards
Pengfei

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum