Linux Kernel isdn_net_setcfg buffer overflow [AD_LAB-0719] Class: Design Error DATE:19/11/2007 Vulnerable: <=Linux-Kernel-2.6.23 Vendor: http://www.kernel.org I.DESCRIPTION: ------------- Linux kernel is an open source operating system. The Linux kernel is prone to an buffer overflow vulnerability. This issue is due to a design error in the 'isdn_net_setcfg()' function. II.DETAILS: ---------- There is a buffer overflow vulnerability in function isdn_net_setcfg(). In function isdn_ioctl, isdn_net_setcfg will be invoked. isdn_ioctl (drivers/isdn/i4l/isdn_common.c): 1270 isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) ... ... 1410 case IIOCNETSCF: 1411 /* Set configurable parameters of a network-interface */ 1412 if (arg) { 1413 if (copy_from_user(&cfg, argp, sizeof(cfg))) *** <- cfg is user-controlled 1414 return -EFAULT; 1415 return isdn_net_setcfg(&cfg); *** <- call isdn_net_setcfg() 1416 } else 1417 return -EINVAL; ... At line 1413, the 'cfg' is read from user-space. so the 'cfg' is user-controlled. At line 1415, function isdn_net_setcfg() is invoked. The '&cfg' is passed to isdn_net_setcfg() as an argument. isdn_net_setcfg (drivers/isdn/i41/isdn_net.c): 2664 isdn_net_setcfg(isdn_net_ioctl_cfg * cfg) 2665 { ... 2777 if (cfg->exclusive > 0) { 2778 unsigned long flags; 2779 2780 /* If binding is exclusive, try to grab the channel */ 2781 spin_lock_irqsave(&dev->lock, flags); 2782 if ((i = isdn_get_free_channel(ISDN_USAGE_NET, 2783 lp->l2_proto, lp->l3_proto, drvidx, 2784 chidx, lp->msn)) < 0) { 2785 /* Grab failed, because desired channel is in use */ 2786 lp->exclusive = -1; 2787 spin_unlock_irqrestore(&dev->lock, flags); 2788 return -EBUSY; 2789 } 2790 /* All went ok, so update isdninfo */ 2791 dev->usage[i] = ISDN_USAGE_EXCLUSIVE; 2792 isdn_info_update(); 2793 spin_unlock_irqrestore(&dev->lock, flags); 2794 lp->exclusive = i; 2795 } else { 2796 /* Non-exclusive binding or unbind. */ 2797 lp->exclusive = -1; 2798 if ((lp->pre_device != -1) && (cfg->exclusive == -1)) { 2799 isdn_unexclusive_channel(lp->pre_device, lp->pre_channel); 2800 isdn_free_channel(lp->pre_device, lp->pre_channel, ISDN_USAGE_NET); 2801 drvidx = -1; 2802 chidx = -1; 2803 } 2804 } 2805 strcpy(lp->msn, cfg->eaz); *** <- Possible overrun of lp->msn by cfg-eaz 2806 lp->pre_device = drvidx; 2807 lp->pre_channel = chidx; 2808 lp->onhtime = cfg->onhtime; 2809 lp->charge = cfg->charge; ... 2884 return -ENODEV; 2885 } At line 2805, function strcpy() is invoked. The size of argument lp->msn is 32 and cfg->eaz is 256. Because the data of '*cfg' is user-controlled (so cfg->eaz is user-controlled), it's possible to overrun destination string lp->msn by string cfg->eaz. When the length of string 'cfg->eaz' is greater than 32, a buffer overflow will occur. III.CREDIT: ---------- Venustech AD-LAB discovered this vuln. Thanks to all Venustech AD-Lab guys. Thanks to Coolq. V.DISCLAIMS: ----------- The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use. VENUSTECH Security Lab VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn) Security Trusted {Solution} Provider Service
Appreciate you looking for vulnerabilities within Linux. If you could file them under the appropriate category for the problem, or if in doubt under "Other/Other" rather than "Other/Bug Tracker", it'd help us out a lot. That category is for bugs against the bugzilla setup itself. If you're in doubt of the owner, you can always assign them to "bugme-janitors@lists.osdl.org", but bugme-admin isn't a good choice. Thanks, The Admins ;-)
Since this is assigned a CVE, I wonder if there is a fix for this planned for mainline?
Patches are already submitted, and I think they are in Linus tree now, patches are under evaluation for the stable series.
So I think we can close this now.