Bug 57402 (CVE-2004-0658)

Summary: VUL-0: CVE-2004-0658: linux kernel IEEE1394(Firewire) driver integer overflow vulnerabilities
Product: [Novell Products] SUSE Security Incidents Reporter: Roman Drahtmueller <draht>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0658: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Proposed fix for 2.4
Proposed fix for 2.6

Description Roman Drahtmueller 2004-06-24 00:05:07 UTC 
From: infamous41md@hotpop.com
To: bugtraq <bugtraq@securityfocus.com>
Date: Tue, 22 Jun 2004 16:46:29 -0400
Subject: linux kernel IEEE1394(Firewire) driver integer overflow
    vulnerabilities

Linux kernel IEEE 1394(Firewire) driver - integer overflows
-----------------------------------------------------------

Link: 
        http://www.linux1394.org/index.php

Driver Description:
IEEE 1394 is a standard defining a high speed serial bus. This bus is also
named
FireWire by Apple or i.Link by Sony. All these names refer to the same thing,
but the neutral term IEEE 1394 (or just 1394) is used on these web pages and in
the sources.

This driver is included in standard linux distros.  It is located in
/usr/src/linux/drivers/ieee1394/.

Impact: 
        Local DOS, possible code execution

Vuln:

there exist multiple integer overflows in the memory allocation scheme of the
driver.  in the write method of the driver a user buffer is copied into kernel
space. in this buffer is a request structure that contains an unsigned length
field.  this field is used to allocate memory, after it is added to another
number. there are no checks to see if this overflows during integer addition. 
this problem occurs in the alloc_hpsb_packet function.
the problem exists in both the 2.4 and 2.6 version of driver, 2.2 was not
checked.  the functions leading up to this are spread out through a couple
files:

2.4:

    -> raw1394_write() --  raw1394.c:852
    -> state_connected() -- raw1394.c:806
    -> handle_remote_request() -- raw1394.c:658
    -> hpsb_make_writebpacket() -- ieee1394_transactions.c:357
    -> alloc_hpsb_packet() -- ieee1394_core.c:114

2.6:

    -> raw1394_write() -- raw1394.c:2149
    -> state_connected() -- raw1394.c:2061
    -> handle_async_request() -- raw1394.c:620
    -> hpsb_make_writepacket() -- ieee1394_transactions.c:291
    -> alloc_hpsb_packet() -- ieee1394_core.c:123

Detail:

    Starting from the write() method of the driver, a user structure is copied
    into kernel buffer.  Depending on the state of the connection, and type of
    request, eventually we get to the offending code, in 2.4 from
alloc_hpsb_packet():

    +variable data_size is a size_t passed from user supplied structure+

        data = kmalloc(data_size + 8, kmflags);
        if (data == NULL) {
                    kmem_cache_free(hpsb_packet_cache, packet);
            return NULL;
        }
        packet->data = data;
        packet->data_size = data_size;

    and then back in handle_remote_request():

    +req->req.length was the same value used above to size the buffer

    if (copy_from_user(packet->data, int2ptr(req->req.sendb), req->req.length))
{
       req->req.error = RAW1394_ERROR_MEMFAULT;
    }


        this results in possibly gigabytes of memory being copied into a small
buffer, which will crash system.  depending on the layout of the slab this
buffer lives on, some sort of exploitation may be possible.  if u look around
you'll find similar issues with the read() request as well, involving packets
being allocated with incorrect lengths.  the contact on sourceforge was emailed
last week and given until monday to reply.  i never heard back from them, so im
submitting this here.

-- -- 
-sean
Comment 1 Roman Drahtmueller 2004-06-24 00:06:52 UTC 
Additional information: 

http://www.linux1394.org/index.php
Comment 2 Roman Drahtmueller 2004-06-24 00:10:08 UTC 
wrong link, that was general info...
Intended: gentoo bugzilla entry:
http://bugs.gentoo.org/show_bug.cgi?id=54883
Comment 3 Thomas Biege 2004-07-14 19:57:41 UTC 
====================================================== 
Candidate: CAN-2004-0658 
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0658 
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20040712 
Category: SF 
Reference: BUGTRAQ:20040622 linux kernel IEEE1394(Firewire) driver integer 
overflow 
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108793792820740 
 
Integer overflow in the hpsb_alloc_packet function (incorrectly 
reported as alloc_hpsb_packet) in IEEE 1394 (Firewire) driver 2.4 and 
2.6 allows local users to cause a denial of service (crash) and 
possibly execute arbitrary code via the functions (1) raw1394_write, 
(2) state_connected, (3) handle_remote_request, or (4) 
hpsb_make_writebpacket. 
 
Analysis 
---------------- 
Vendor Acknowledgement: unknown 
Content Decisions: SF-LOC 
 
ACCURACY: the original researcher identified the primary affected 
function as alloc_hpsb_packet, but there is no such function in 
version 2.6 source code; rather, it is hpsb_alloc_packet.  The other 4 
functions ultimately call hpsb_alloc_packet.
Comment 4 Thomas Biege 2004-07-15 19:22:21 UTC 
reassigning to Hubert.
Comment 5 Hubert Mantel 2004-07-16 21:35:35 UTC 
Do we have a fix for the problem? Which kernels are affected? Is this 2.6 only?
The other links in this report all do not work (servers down or overloaded)?
Comment 6 Hubert Mantel 2004-07-21 23:26:31 UTC 
Ok, at least I now found out that both 2.4 and 2.6 are vulnerable. Still, I
cannot find the fix for the problem. If no such fix exists until now, we need to
assign somebody to this problem, as it should be fixed with the next update.
Comment 7 Thomas Biege 2004-07-22 17:56:10 UTC 
pinged vendor-sec and kernel@ for a patch
Comment 8 Andreas Gruenbacher 2004-07-23 12:31:13 UTC 
Created attachment 22355 [details]
Proposed fix for 2.4
Comment 9 Andreas Gruenbacher 2004-07-23 12:32:09 UTC 
Created attachment 22356 [details]
Proposed fix for 2.6
Comment 10 Andreas Gruenbacher 2004-07-23 12:34:02 UTC 
I did not find the same problem in the read paths, but I may have overlooked
something.
Comment 11 Andreas Gruenbacher 2004-07-23 12:48:27 UTC 
Greg KH wrote on June 30: "Also, as no non-root user can access these device
nodes, it really isn't that big of a problem."

Unfortunately we have /dev/raw1394 in /etc/logindevperm, so after login the file
is chowned to the user logging in, which means that access is no longer
restricted to root only. We need to patch this bug.
Comment 12 Hubert Mantel 2004-08-12 00:02:04 UTC 
This one is already fixed (and I think even released). It just is waiting for
being closed, which I leave to the security people.
Comment 13 Thomas Biege 2004-08-12 15:57:36 UTC 
Hm... which changelog entry belongs to it?
Comment 14 Marcus Meissner 2004-08-12 19:48:16 UTC 
sles8: 
------------------------------------------------------------------- 
Tue Jul 27 16:25:39 CEST 2004 - mantel@suse.de 
 
- make fix for firewire overflow problem actually compile 
 
------------------------------------------------------------------- 
Tue Jul 27 15:01:34 CEST 2004 - mantel@suse.de 
 
- fix integer overflow in firewire code (#42402) 
 
 
sles9: 
------------------------------------------------------------------- 
Tue Jul 27 14:45:40 CEST 2004 - mantel@suse.de 
 
- fix integer overflow in firewire code (#42402) 
 
 
 
so we can close this issue.
Comment 15 Thomas Biege 2009-10-13 20:27:06 UTC 
CVE-2004-0658: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)