Bug 53898 (CVE-2004-0228)

Summary: VUL-0: CVE-2004-0228: cpufreq_procctl casting issue
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Sebastian Krahmer <krahmer>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0228: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Fix

Description Sebastian Krahmer 2004-04-14 17:23:21 UTC 
From vendor-sec:

Date: Tue, 13 Apr 2004 23:37:44 +0100
From: Dave Jones <davej@redhat.com>
To: vendor-sec@lst.de
Cc: brodo@linux.de
Subject: [vendor-sec] cpufreq (un)signed int wrap.

Folks,
 Brad Spender found an exploitable bug in the Linux kernel cpufreq code.
This is a part of 2.6, and various vendors have variants of it in their
2.4 trees (All that I checked had the same flaw).
                                                                                
I've not yet heard from Brad as to when he plans to announce this.
                                                                                
Dominik also did a quick grep of other proc_handler's and turned up a number of
other instances of what seems to be the same bug.
Certainly looks worthy of an audit.

Until I hear of a date of disclosure from Brad, I'm going to hold
off fixing this in the cpufreq bk tree.

    Dave

----- Forwarded message from spender@grsecurity.net -----

X-Original-To: brodo@localhost
Delivered-To: brodo@localhost.dominikbrodowski.de
X-Envelope-From: <spender@grsecurity.net>
X-Envelope-To: <linux@brodo.de>
X-Delivery-Time: 1081879425
Date: Tue, 13 Apr 2004 13:58:33 -0400
To: rmk@arm.linux.org.uk, linux@brodo.de
Subject: exploitable stack overflow in cpufreq
User-Agent: Mutt/1.5.4i
From: spender@grsecurity.net

just wanted to call your attention to the following:

static int
cpufreq_procctl(ctl_table *ctl, int write, struct file *filp,
                void __user *buffer, size_t *lenp)
{
        char buf[16], *p;
        int cpu = (int) ctl->extra1;
        int len, left = *lenp;
                len = left;
                if (left > sizeof(buf))
                        left = sizeof(buf);
                if (copy_from_user(buf, buffer, left))
                        return -EFAULT;


note that you cast a user-supplied unsigned int to a signed int.
you then only check the upper bound on the value of the signed int
you then send it to copy_from_user, which uses an unsigned int (long)
this is exploitable, though only as a root user.

It gets a bit more interesting here:

        } else {
                len = sprintf(buf, "%d\n", cpufreq_get(cpu));
                if (len > left)
                        len = left;
                if (copy_to_user(buffer, buf, len))
                        return -EFAULT;

here by passing a large value in to a read, which will wrap to a
negative value, and then back to the large value for copy_to_user,
we can read into kernel memory as a non-root user.

To fix, use unsigned ints instead of signed.

-Brad

-----------

Not clear which of our kernels are affected.
Comment 1 Sebastian Krahmer 2004-04-14 17:23:21 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Sebastian Krahmer 2004-04-14 17:24:56 UTC 
CAN-2004-0228
Comment 3 Roman Drahtmueller 2004-04-14 17:44:25 UTC 
No publication date known yet. Hubert, Andi, that means that the fix for this
must not be included yet.
Adding agruen to Cc:.
Comment 4 Andreas Gruenbacher 2004-04-15 17:26:50 UTC 
Do we have a patch for this?
Comment 5 Sebastian Krahmer 2004-04-16 17:31:18 UTC 
From initial advisory: "To fix, use unsigned ints instead of signed.".
I think he is speaking of "len" and "left".
Comment 6 Hubert Mantel 2004-04-21 18:48:00 UTC 
Created attachment 18491 [details]
Fix

Do you agree this is the correct fix?
Comment 7 Sebastian Krahmer 2004-04-21 19:26:52 UTC 
Yes
Comment 8 Kurt Garloff 2004-04-23 21:53:33 UTC 
Sebastian, are you sure this is public as you wrote in your mail to prjmgr? 
I just commited the fix to CVS ...
Comment 9 Thomas Biege 2004-04-26 16:05:15 UTC 
From Sebastian's mail (Fri, 23 Apr 2004 15:53:34 +0200 (CEST)): 
	#38898 - cpu_freq int overflow 
		+ fix available 
		+ not yet public, but no timeline 
		+ should make it into updates 
 
He said that it is not public.
Comment 10 Sebastian Krahmer 2004-04-26 16:37:07 UTC 
I am sorry for the confusion. Its not really public, but
the bug has no timeline. We can publish it when we find it
is necessary. So it is ok if it is in CVS.
Comment 11 Sebastian Krahmer 2004-04-26 19:39:14 UTC 
CAN-2004-0228
Comment 12 Hubert Mantel 2004-04-26 20:52:08 UTC 
Kernels have been submitted and are waiting for check in.
Comment 13 Sebastian Krahmer 2004-05-04 17:28:50 UTC 
kernels are approved and announced.
Comment 14 Thomas Biege 2009-10-13 20:19:38 UTC 
CVE-2004-0228: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)