Bugzilla – Bug 53898
VUL-0: CVE-2004-0228: cpufreq_procctl casting issue
Last modified: 2021-10-01 08:01:07 UTC
From vendor-sec: Date: Tue, 13 Apr 2004 23:37:44 +0100 From: Dave Jones <davej@redhat.com> To: vendor-sec@lst.de Cc: brodo@linux.de Subject: [vendor-sec] cpufreq (un)signed int wrap. Folks, Brad Spender found an exploitable bug in the Linux kernel cpufreq code. This is a part of 2.6, and various vendors have variants of it in their 2.4 trees (All that I checked had the same flaw). I've not yet heard from Brad as to when he plans to announce this. Dominik also did a quick grep of other proc_handler's and turned up a number of other instances of what seems to be the same bug. Certainly looks worthy of an audit. Until I hear of a date of disclosure from Brad, I'm going to hold off fixing this in the cpufreq bk tree. Dave ----- Forwarded message from spender@grsecurity.net ----- X-Original-To: brodo@localhost Delivered-To: brodo@localhost.dominikbrodowski.de X-Envelope-From: <spender@grsecurity.net> X-Envelope-To: <linux@brodo.de> X-Delivery-Time: 1081879425 Date: Tue, 13 Apr 2004 13:58:33 -0400 To: rmk@arm.linux.org.uk, linux@brodo.de Subject: exploitable stack overflow in cpufreq User-Agent: Mutt/1.5.4i From: spender@grsecurity.net just wanted to call your attention to the following: static int cpufreq_procctl(ctl_table *ctl, int write, struct file *filp, void __user *buffer, size_t *lenp) { char buf[16], *p; int cpu = (int) ctl->extra1; int len, left = *lenp; len = left; if (left > sizeof(buf)) left = sizeof(buf); if (copy_from_user(buf, buffer, left)) return -EFAULT; note that you cast a user-supplied unsigned int to a signed int. you then only check the upper bound on the value of the signed int you then send it to copy_from_user, which uses an unsigned int (long) this is exploitable, though only as a root user. It gets a bit more interesting here: } else { len = sprintf(buf, "%d\n", cpufreq_get(cpu)); if (len > left) len = left; if (copy_to_user(buffer, buf, len)) return -EFAULT; here by passing a large value in to a read, which will wrap to a negative value, and then back to the large value for copy_to_user, we can read into kernel memory as a non-root user. To fix, use unsigned ints instead of signed. -Brad ----------- Not clear which of our kernels are affected.
<!-- SBZ_reproduce --> ...
CAN-2004-0228
No publication date known yet. Hubert, Andi, that means that the fix for this must not be included yet. Adding agruen to Cc:.
Do we have a patch for this?
From initial advisory: "To fix, use unsigned ints instead of signed.". I think he is speaking of "len" and "left".
Created attachment 18491 [details] Fix Do you agree this is the correct fix?
Yes
Sebastian, are you sure this is public as you wrote in your mail to prjmgr? I just commited the fix to CVS ...
From Sebastian's mail (Fri, 23 Apr 2004 15:53:34 +0200 (CEST)): #38898 - cpu_freq int overflow + fix available + not yet public, but no timeline + should make it into updates He said that it is not public.
I am sorry for the confusion. Its not really public, but the bug has no timeline. We can publish it when we find it is necessary. So it is ok if it is in CVS.
Kernels have been submitted and are waiting for check in.
kernels are approved and announced.
CVE-2004-0228: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)