首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FreeBSD 10 nand Driver IOCTL Kernel Memory Leak Bug
来源:http://www.x90c.org 作者:x90c 发布时间:2013-11-18  
XADV-2013005
FreeBSD 10 <= nand Driver IOCTL Kernel Memory Leak Bug
  
  
1. Overview
  
The nand driver in freebsd <= 10 has a vulnerability to leak
arbitrary kernel memory to the userspace. It's occured at
nand_ioctl() kernel function and because no proper initialize
the allocated kernel memory.
  
* Vulnerable Source Code:
  
* Credit:
  - x90c <geinblues@gmail.com>
    (site: http://www.x90c.org)
  
* References:
  
  
2. Details
  
The kmem leak bug at nand_ioctl() in /dev/nand/nand_geom.c.
  
  
[/dev/nand/nand_geom.c?v=FREEBSD10#L191]
----
  191 static int
  192 nand_ioctl(struct disk *ndisk, u_long cmd, void *data, int fflag,
  193     struct thread *td)
  194 {
  195         struct nand_chip *chip;
  196         struct nand_oob_rw *oob_rw = NULL;
  197         struct nand_raw_rw *raw_rw = NULL;
  198         device_t nandbus;
  199         uint8_t *buf = NULL;
  200         int ret = 0;
  201         uint8_t status;
  202 
  203         chip = (struct nand_chip *)ndisk->d_drv1;
  204         nandbus = device_get_parent(chip->dev);
  
  205         // XXX NAND_IO_RAW_READ or NAND_IO_RAW_PROG ioctl cmd.
  206         if ((cmd == NAND_IO_RAW_READ) || (cmd == NAND_IO_RAW_PROG)) {
  207                 raw_rw = (struct nand_raw_rw *)data; // XXX raw_rw = data(arg)
          /* 
                       * XXX malloc'd buf = raw_rw->len.
                       * exp cond1) user-supplied raw_rw->len can be success allocated.
           *            and return a large chunk uninitialized causing kmem leak refer to [1].
           *            the fix needed M_ZERO flag to zero the allocated kmem.
           */  
  208                 buf = malloc(raw_rw->len, M_NAND, M_WAITOK);
  
  209         }
  210         switch (cmd) {
  
...
  
  242         case NAND_IO_RAW_READ:
  243                 ret = nand_read_pages_raw(chip, raw_rw->off, buf,
  244                     raw_rw->len);
          /* 
                       * XXX Uninitialized kmem(buf) leaks to raw_rw->data(userspace). 
                       *     If subsequence ioctl ... can be leak all of free'd kmem in 
                       *     malloc area.
                       */
  245                 copyout(buf, raw_rw->data, raw_rw->len);
  246                 break;
  247 
...
  
  260         return (ret);
  261 }
----
  
  
3. Patch code
  
[freebsd_nand_kmem_leak.patch]
----
-    buf = malloc(raw_rw->len, M_NAND, M_WAITOK);
+    buf = malloc(raw_rw->len, M_NAND, M_WAITOK | M_ZERO); /* to zero the allocated kmem */
----
  
  
4. Vendor Status
  
- 2013/11/13 I discovered the memory leak bug and reported to the secteam@freebsd.org.
- 2013/11/14 The vendor response with the coordination. (will be freebsd's advisory)
- 2013/11/16 Cve-id request to the cve-assign@mitre.org.
- 2013/11/16 The original advisory released on full-disclosure, bugtraq.
  
  
EOF

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FreeBSD 10 qlxge/qlxgbe Driver
·Avira Secure Backup 1.0.0.1 Bu
·Supermicro Onboard IPMI close_
·Linux Kernel bt8xx Video Drive
·Windows SYSTEM Escalation Via
·DeepOfix 3.3 SMTP Authenticati
·Dahua DVR Authentication Bypas
·DesktopCentral AgentLogUpload
·Watermark Master v2.2.23 .wsty
·Light Alloy 4.7.3 (.m3u) - SEH
·Plogue Sforzando 1.665 Buffer
·ALLPlayer 5.7 (.m3u) - SEH Buf
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved