[Secure-testing-team] Two more kernel related DoS vulnerabilities

Thu Sep 15 08:31:06 UTC 2005

Hi Horms,
two more potential local DoS issues from the current review round
of patches for the next .13 stable release:

Cheers,
        Moritz

From: Chris Wright <chrisw at osdl.org>
Newsgroups: gmane.linux.kernel
Subject: [PATCH 02/11] [PATCH] Lost sockfd_put() in routing_ioctl()
Date: Wed, 14 Sep 2005 18:03:45 -0700

-stable review patch.  If anyone has any objections, please let us know.
------------------

This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on 
64bit platforms

I believe this is a security issues, since user can fget() file as many 
times as he wants to. So file refcounter can be overlapped and first 
fput() will free resources though there will be still structures 
pointing to the file, mnt, dentry etc.
Also fput() sets f_dentry and f_vfsmnt to NULL,
so other file users will OOPS.

The oops can be done under files_lock and others, so this can be an 
exploitable DoS on SMP. Didn't checked it on practice actually.

Signed-Off-By: Kirill Korotaev <dev at sw.ru>
Signed-Off-By: Maxim Giryaev <gem at sw.ru>
Signed-off-by: Chris Wright <chrisw at osdl.org>
---
 fs/compat_ioctl.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

Index: linux-2.6.13.y/fs/compat_ioctl.c
===================================================================

--- linux-2.6.13.y.orig/fs/compat_ioctl.c
+++ linux-2.6.13.y/fs/compat_ioctl.c
@@ -798,13 +798,16 @@ static int routing_ioctl(unsigned int fd
 		r = (void *) &r4;
 	}
 
-	if (ret)
-		return -EFAULT;
+	if (ret) {
+		ret = -EFAULT;
+		goto out;
+	}
 
 	set_fs (KERNEL_DS);
 	ret = sys_ioctl (fd, cmd, (unsigned long) r);
 	set_fs (old_fs);
 
+out:
 	if (mysock)
 		sockfd_put(mysock);
 

From: Chris Wright <chrisw at osdl.org>
Subject: [PATCH 01/11] [PATCH] lost fput in 32bit ioctl on x86-64

-stable review patch.  If anyone has any objections, please let us know.
------------------

This patch adds lost fput in 32bit tiocgdev ioctl on x86-64

I believe this is a security issues, since user can fget() file as
many times as he wants to. So file refcounter can be overlapped and
first fput() will free resources though there will be still structures
pointing to the file, mnt, dentry etc.  Also fput() sets f_dentry and
f_vfsmnt to NULL, so other file users will OOPS.

The oops can be done under files_lock and others, so this is really
exploitable DoS on SMP. Didn't checked it on practice actually.

(chrisw: Update to use fget_light/fput_light)

Signed-Off-By: Kirill Korotaev <dev at sw.ru>
Signed-Off-By: Maxim Giryaev <gem at sw.ru>
Signed-off-by: Chris Wright <chrisw at osdl.org>
---
 arch/x86_64/ia32/ia32_ioctl.c |   17 +++++++++++++----
 1 files changed, 13 insertions(+), 4 deletions(-)

Index: linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
===================================================================
--- linux-2.6.13.y.orig/arch/x86_64/ia32/ia32_ioctl.c
+++ linux-2.6.13.y/arch/x86_64/ia32/ia32_ioctl.c
@@ -24,17 +24,26 @@
 static int tiocgdev(unsigned fd, unsigned cmd,  unsigned int __user *ptr) 
 { 
 
-	struct file *file = fget(fd);
+	struct file *file;
 	struct tty_struct *real_tty;
+	int fput_needed, ret;
 
+	file = fget_light(fd, &fput_needed);
 	if (!file)
 		return -EBADF;
+
+	ret = -EINVAL;
 	if (file->f_op->ioctl != tty_ioctl)
-		return -EINVAL; 
+		goto out;
 	real_tty = (struct tty_struct *)file->private_data;
 	if (!real_tty) 	
-		return -EINVAL; 
-	return put_user(new_encode_dev(tty_devnum(real_tty)), ptr); 
+		goto out;
+
+	ret = put_user(new_encode_dev(tty_devnum(real_tty)), ptr); 
+
+out:
+	fput_light(file, fput_needed);
+	return ret;
 } 
 
 #define RTC_IRQP_READ32	_IOR('p', 0x0b, unsigned int)	 /* Read IRQ rate   */

--




