Bug 82341

Summary: Potential vulnerabilities in LINUX KERNEL 3.16 /arch/um
Product: Memory Management Reporter: kaiwaiata (romerox.adrian)
Component: OtherAssignee: Andrew Morton (akpm)
Status: RESOLVED CODE_FIX    
Severity: high CC: akpm, alan, atomlin, bugsfx, bugsfx, dmonakhov, linuxdev, on2014nm, romerox.adrian
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.16 Subsystem:
Regression: No Bisected commit-id:

Description kaiwaiata 2014-08-13 13:47:08 UTC
Hi, I'm Hádrien Romero Soria - @Kaiwaiata​​, I am a 16 year old boy, passionate about computer security, since more than 2h searching and finding various possible vulnerabilities in source code of Linux Kernel..
I will tell you some vulnerabilities now, if they treat me well I will tell the other..
foolish or important things?

linux3.16.tar\linux-3.16\arch\um\os-Linux\drivers\ethertap_user.c:
lines: 30:

struct addr_change {
    enum { ADD_ADDR, DEL_ADDR } what;
    unsigned char addr[4]; // look here
    unsigned char netmask[4]; // look here
};

static void etap_change(int op, unsigned char *addr, unsigned char *netmask,
int fd)
{
    struct addr_change change; // look here
    char *output;
    int n;

    change.what = op;
    memcpy(change.addr, addr, sizeof(change.addr)); // look here
    memcpy(change.netmask, netmask, sizeof(change.netmask)); // look here
    .. ..
    .. ..
}

linux3.16.tar\linux-3.16\arch\um\os-Linux\drivers\ethertap_user.c:
lines: 108: strcpy(gate_buf, gate);

# if an attacker manages to take control e.g:addr_change, gate.. may cause a buffer overflow, which would be directed toward .bss (an uninitialized global, so he goes to the BSS segment) it's not too dangerous but is a vulnerability.

linux3.16.tar\linux-3.16\arch\um\os-Linux\drivers\ethertap_user.c:
lines: 47: if (n != sizeof(change)) {

# Compare an unsigned numeric value with a signed numeric value, ccould cause extremely long numbers (negative and positive)

i hope answer, thanks a lot!,
HádrienR - kaiwaiata
Comment 1 Alan 2014-08-21 17:38:47 UTC
Don't see the etap problem ?

108: I don't think ethertap_user.c is exploitable because all the inputs that matter check. That said I can't prove it's so - so yes it would be a sensible change (um is very old code and probably ought to just go away, it's not a secure kernel in that form anyway but no excuses)

47: doesn't matter. The types will be co-erced for the comparison and only one matching bit pattern exists. With > or < tests more care can be needed however.