Bugzilla – Bug 57402
VUL-0: CVE-2004-0658: linux kernel IEEE1394(Firewire) driver integer overflow vulnerabilities
Last modified: 2021-10-14 14:34:19 UTC
From: infamous41md@hotpop.com To: bugtraq <bugtraq@securityfocus.com> Date: Tue, 22 Jun 2004 16:46:29 -0400 Subject: linux kernel IEEE1394(Firewire) driver integer overflow vulnerabilities Linux kernel IEEE 1394(Firewire) driver - integer overflows ----------------------------------------------------------- Link: http://www.linux1394.org/index.php Driver Description: IEEE 1394 is a standard defining a high speed serial bus. This bus is also named FireWire by Apple or i.Link by Sony. All these names refer to the same thing, but the neutral term IEEE 1394 (or just 1394) is used on these web pages and in the sources. This driver is included in standard linux distros. It is located in /usr/src/linux/drivers/ieee1394/. Impact: Local DOS, possible code execution Vuln: there exist multiple integer overflows in the memory allocation scheme of the driver. in the write method of the driver a user buffer is copied into kernel space. in this buffer is a request structure that contains an unsigned length field. this field is used to allocate memory, after it is added to another number. there are no checks to see if this overflows during integer addition. this problem occurs in the alloc_hpsb_packet function. the problem exists in both the 2.4 and 2.6 version of driver, 2.2 was not checked. the functions leading up to this are spread out through a couple files: 2.4: -> raw1394_write() -- raw1394.c:852 -> state_connected() -- raw1394.c:806 -> handle_remote_request() -- raw1394.c:658 -> hpsb_make_writebpacket() -- ieee1394_transactions.c:357 -> alloc_hpsb_packet() -- ieee1394_core.c:114 2.6: -> raw1394_write() -- raw1394.c:2149 -> state_connected() -- raw1394.c:2061 -> handle_async_request() -- raw1394.c:620 -> hpsb_make_writepacket() -- ieee1394_transactions.c:291 -> alloc_hpsb_packet() -- ieee1394_core.c:123 Detail: Starting from the write() method of the driver, a user structure is copied into kernel buffer. Depending on the state of the connection, and type of request, eventually we get to the offending code, in 2.4 from alloc_hpsb_packet(): +variable data_size is a size_t passed from user supplied structure+ data = kmalloc(data_size + 8, kmflags); if (data == NULL) { kmem_cache_free(hpsb_packet_cache, packet); return NULL; } packet->data = data; packet->data_size = data_size; and then back in handle_remote_request(): +req->req.length was the same value used above to size the buffer if (copy_from_user(packet->data, int2ptr(req->req.sendb), req->req.length)) { req->req.error = RAW1394_ERROR_MEMFAULT; } this results in possibly gigabytes of memory being copied into a small buffer, which will crash system. depending on the layout of the slab this buffer lives on, some sort of exploitation may be possible. if u look around you'll find similar issues with the read() request as well, involving packets being allocated with incorrect lengths. the contact on sourceforge was emailed last week and given until monday to reply. i never heard back from them, so im submitting this here. -- -- -sean
Additional information: http://www.linux1394.org/index.php
wrong link, that was general info... Intended: gentoo bugzilla entry: http://bugs.gentoo.org/show_bug.cgi?id=54883
====================================================== Candidate: CAN-2004-0658 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0658 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20040712 Category: SF Reference: BUGTRAQ:20040622 linux kernel IEEE1394(Firewire) driver integer overflow Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108793792820740 Integer overflow in the hpsb_alloc_packet function (incorrectly reported as alloc_hpsb_packet) in IEEE 1394 (Firewire) driver 2.4 and 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via the functions (1) raw1394_write, (2) state_connected, (3) handle_remote_request, or (4) hpsb_make_writebpacket. Analysis ---------------- Vendor Acknowledgement: unknown Content Decisions: SF-LOC ACCURACY: the original researcher identified the primary affected function as alloc_hpsb_packet, but there is no such function in version 2.6 source code; rather, it is hpsb_alloc_packet. The other 4 functions ultimately call hpsb_alloc_packet.
reassigning to Hubert.
Do we have a fix for the problem? Which kernels are affected? Is this 2.6 only? The other links in this report all do not work (servers down or overloaded)?
Ok, at least I now found out that both 2.4 and 2.6 are vulnerable. Still, I cannot find the fix for the problem. If no such fix exists until now, we need to assign somebody to this problem, as it should be fixed with the next update.
pinged vendor-sec and kernel@ for a patch
Created attachment 22355 [details] Proposed fix for 2.4
Created attachment 22356 [details] Proposed fix for 2.6
I did not find the same problem in the read paths, but I may have overlooked something.
Greg KH wrote on June 30: "Also, as no non-root user can access these device nodes, it really isn't that big of a problem." Unfortunately we have /dev/raw1394 in /etc/logindevperm, so after login the file is chowned to the user logging in, which means that access is no longer restricted to root only. We need to patch this bug.
This one is already fixed (and I think even released). It just is waiting for being closed, which I leave to the security people.
Hm... which changelog entry belongs to it?
sles8: ------------------------------------------------------------------- Tue Jul 27 16:25:39 CEST 2004 - mantel@suse.de - make fix for firewire overflow problem actually compile ------------------------------------------------------------------- Tue Jul 27 15:01:34 CEST 2004 - mantel@suse.de - fix integer overflow in firewire code (#42402) sles9: ------------------------------------------------------------------- Tue Jul 27 14:45:40 CEST 2004 - mantel@suse.de - fix integer overflow in firewire code (#42402) so we can close this issue.
CVE-2004-0658: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)