Vulners
Lucene search
FreeBSD 10 nand Driver IOCTL Kernel Memory Leak Bug
XADV-2013005
FreeBSD 10 <= nand Driver IOCTL Kernel Memory Leak Bug
1. Overview
The nand driver in freebsd <= 10 has a vulnerability to leak
arbitrary kernel memory to the userspace. It's occured at
nand_ioctl() kernel function and because no proper initialize
the allocated kernel memory.
* Vulnerable Source Code:
- http://fxr.watson.org/fxr/source/dev/nand/nand_geom.c?v=FREEBSD10
* Credit:
- x90c <[email protected]>
(site: http://www.x90c.org)
* References:
[1] http://www.unix.com/man-page/freebsd/9/malloc/
[2] http://fxr.watson.org/fxr/source/dev/ath/if_ath.c?v=FREEBSD10#L5881
[3] https://wiki.freebsd.org/BSDDay_2010?action=AttachFile&do=get&target=bsdday2010-flash_subsystem.pdf
2. Details
The kmem leak bug at nand_ioctl() in /dev/nand/nand_geom.c.
[/dev/nand/nand_geom.c?v=FREEBSD10#L191]
----
191 static int
192 nand_ioctl(struct disk *ndisk, u_long cmd, void *data, int fflag,
193 struct thread *td)
194 {
195 struct nand_chip *chip;
196 struct nand_oob_rw *oob_rw = NULL;
197 struct nand_raw_rw *raw_rw = NULL;
198 device_t nandbus;
199 uint8_t *buf = NULL;
200 int ret = 0;
201 uint8_t status;
202
203 chip = (struct nand_chip *)ndisk->d_drv1;
204 nandbus = device_get_parent(chip->dev);
205 // XXX NAND_IO_RAW_READ or NAND_IO_RAW_PROG ioctl cmd.
206 if ((cmd == NAND_IO_RAW_READ) || (cmd == NAND_IO_RAW_PROG)) {
207 raw_rw = (struct nand_raw_rw *)data; // XXX raw_rw = data(arg)
/*
* XXX malloc'd buf = raw_rw->len.
* exp cond1) user-supplied raw_rw->len can be success allocated.
* and return a large chunk uninitialized causing kmem leak refer to [1].
* the fix needed M_ZERO flag to zero the allocated kmem.
*/
208 buf = malloc(raw_rw->len, M_NAND, M_WAITOK);
209 }
210 switch (cmd) {
...
242 case NAND_IO_RAW_READ:
243 ret = nand_read_pages_raw(chip, raw_rw->off, buf,
244 raw_rw->len);
/*
* XXX Uninitialized kmem(buf) leaks to raw_rw->data(userspace).
* If subsequence ioctl ... can be leak all of free'd kmem in
* malloc area.
*/
245 copyout(buf, raw_rw->data, raw_rw->len);
246 break;
247
...
260 return (ret);
261 }
----
3. Patch code
[freebsd_nand_kmem_leak.patch]
----
- buf = malloc(raw_rw->len, M_NAND, M_WAITOK);
+ buf = malloc(raw_rw->len, M_NAND, M_WAITOK | M_ZERO); /* to zero the allocated kmem */
----
4. Vendor Status
- 2013/11/13 I discovered the memory leak bug and reported to the [email protected]
- 2013/11/14 The vendor response with the coordination. (will be freebsd's advisory)
- 2013/11/16 Cve-id request to the [email protected]
- 2013/11/16 The original advisory released on full-disclosure, bugtraq.
EOF
# 0day.today [2018-03-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Nov 2013 00:00Current
6.9Medium risk
Vulners AI Score6.9