Embedded Files
Original report of the bug: https://syzkaller.appspot.com/bug?id=96e7d345748d8814901c91cd92084ed04b46701e
From our analysis, we find that it can lead to 1 constrained address write.
Fuzzer tested kernel version: 7a7fd0de
Upstream patch: cipso,calipso: resolve a number of problems with the DOI refcounts and net: mac802154: Fix general protection fault
Primitive 1: Constrained address write in netlbl_bitmap_setbit
Primitive 1: Constrained address write in netlbl_bitmap_setbit
Bug impact analysis:
Bug impact analysis:
doi_def was freed but still used in cipso_v4_genopt
switch (doi_def->tags[iter]) { // doi_def was freed, thus it triggered the UAF read which was initially caught by syzbot/syzkaller
case CIPSO_V4_TAG_RBITMAP:
ret_val = cipso_v4_gentag_rbm(doi_def, // doi_def was freed, and got passed to cipso_v4_gentag_rbm
secattr,
&buf[CIPSO_V4_HDR_LEN],
buf_len - CIPSO_V4_HDR_LEN);
break;
cipso_v4_gentag_rbm passed doi_def to cipso_v4_map_cat_rbm_hton
static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
const struct netlbl_lsm_secattr *secattr,
unsigned char *buffer,
u32 buffer_len)
{
...
if (secattr->flags & NETLBL_SECATTR_MLS_CAT) {
ret_val = cipso_v4_map_cat_rbm_hton(doi_def, // doi_def was freed, and got passed to cipso_v4_map_lvl_hton
secattr,
&buffer[4],
buffer_len - 4);
...
}
Note that doi_def was freed, host_cat_array can point to any address. Furthermore, elements in host_cat_array can also take potentially any arbitrary value
static int cipso_v4_map_cat_rbm_hton(const struct cipso_v4_doi *doi_def,
const struct netlbl_lsm_secattr *secattr,
unsigned char *net_cat,
u32 net_cat_len)
{
...
u32 *host_cat_array = NULL;
if (doi_def->type == CIPSO_V4_MAP_TRANS) {
host_cat_size = doi_def->map.std->cat.local_size;
host_cat_array = doi_def->map.std->cat.local; // An arbitrary value write happened here
}
for (;;) {
...
switch (doi_def->type) {
case CIPSO_V4_MAP_TRANS:
...
net_spot = host_cat_array[host_spot]; // net_spot can also be an arbitrary value
...
break;
}
...
netlbl_bitmap_setbit(net_cat, net_spot, 1); // net_spot passed to netlbl_bitmap_setbit
...
}
...
}
By controlling bit, we can control the index of bitmap, which means we can determine how far the write can be (causing OOB memory access)
void netlbl_bitmap_setbit(unsigned char *bitmap, u32 bit, u8 state)
{
u32 byte_spot;
u8 bitmask;
byte_spot = bit / 8; // bit is an arbitrary value, therefore we can control byte_spot
bitmask = 0x80 >> (bit % 8);
if (state)
bitmap[byte_spot] |= bitmask; // The write can be out-of-bounds as byte_spot is controlled, the address range where the write can happen is [bitmap, bitmap+536870912]
else
bitmap[byte_spot] &= ~bitmask; // The write can be out-of-bounds by byte_spot is controlled, the address range where the write can happen is [bitmap, bitmap+536870912]
}
Trace in high level:
Trace in high level:
|cipso_v4_genopt net/ipv4/cipso_ipv4.c:1784 (Triggered the UAF read bug)
|netlbl_bitmap_setbit net/ipv4/cipso_ipv4.c:829
|netlbl_bitmap_setbit net/netlabel/netlabel_kapi.c:930 (Triggered a new impact: Constrained address write)
Trace in detail:
Trace in detail:
0xffffffff85327b63
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1784 (Triggered the UAF read bug)
--------------------------------------
0xffffffff85327b75
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1784
--------------------------------------
0xffffffff85327b7e
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1784
--------------------------------------
0xffffffff85327b84
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1784
--------------------------------------
0xffffffff85327e81
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1786
--------------------------------------
0xffffffff85327e86
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1786
--------------------------------------
0xffffffff85327e8e
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1786
--------------------------------------
0xffffffff85327ea3
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1786
--------------------------------------
0xffffffff85327eac
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1194
--------------------------------------
0xffffffff85327eb1
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1194
--------------------------------------
0xffffffff85327ebd
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1194
--------------------------------------
0xffffffff85327ed3
cipso_v4_genopt net/ipv4/cipso_ipv4.c:681
--------------------------------------
0xffffffff85327eec
cipso_v4_genopt net/ipv4/cipso_ipv4.c:681
--------------------------------------
0xffffffff853281ef
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1814
--------------------------------------
0xffffffff853281f4
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1814
--------------------------------------
0xffffffff85328204
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1814
--------------------------------------
0xffffffff85328212
cipso_v4_genopt net/ipv4/cipso_ipv4.c:686
--------------------------------------
0xffffffff85328225
cipso_v4_genopt net/ipv4/cipso_ipv4.c:686
--------------------------------------
0xffffffff8532822e
cipso_v4_genopt net/ipv4/cipso_ipv4.c:686
--------------------------------------
0xffffffff85328233
cipso_v4_genopt net/ipv4/cipso_ipv4.c:686
--------------------------------------
0xffffffff8532823d
cipso_v4_genopt net/ipv4/cipso_ipv4.c:686
--------------------------------------
0xffffffff85328254
cipso_v4_genopt net/ipv4/cipso_ipv4.c:686
--------------------------------------
0xffffffff85328269
cipso_v4_genopt net/ipv4/cipso_ipv4.c:686
--------------------------------------
0xffffffff85328272
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1200
--------------------------------------
0xffffffff85328277
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1200
--------------------------------------
0xffffffff85328283
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1200
--------------------------------------
0xffffffff8532828b
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1201
--------------------------------------
0xffffffff85328290
cipso_v4_genopt net/ipv4/cipso_ipv4.c:1201
--------------------------------------
0xffffffff853282a7
cipso_v4_genopt net/ipv4/cipso_ipv4.c:805
--------------------------------------
0xffffffff853282b1
cipso_v4_genopt net/ipv4/cipso_ipv4.c:805
--------------------------------------
0xffffffff853282c6
cipso_v4_genopt net/ipv4/cipso_ipv4.c:806
--------------------------------------
0xffffffff853280a9
cipso_v4_genopt net/ipv4/cipso_ipv4.c:804
--------------------------------------
0xffffffff85328118
cipso_v4_genopt net/ipv4/cipso_ipv4.c:810
--------------------------------------
0xffffffff8532811d
cipso_v4_genopt net/ipv4/cipso_ipv4.c:810
--------------------------------------
0xffffffff8532812d
cipso_v4_genopt net/ipv4/cipso_ipv4.c:810
--------------------------------------
0xffffffff85c25c80
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:615
--------------------------------------
0xffffffff85c25c98
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:562
--------------------------------------
0xffffffff85c25c9d
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:564
--------------------------------------
0xffffffff85c25ca2
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:564
--------------------------------------
0xffffffff85c25caa
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:564
--------------------------------------
0xffffffff85c25cb9
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:564
--------------------------------------
0xffffffff85c25cbe
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:564
--------------------------------------
0xffffffff85c25cc3
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:564
--------------------------------------
0xffffffff85c25cd9
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:564
--------------------------------------
0xffffffff85c25cde
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:564
--------------------------------------
0xffffffff85c25cf3
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:564
--------------------------------------
0xffffffff85c25d2a
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:618
--------------------------------------
0xffffffff85c25d2f
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:618
--------------------------------------
0xffffffff85c25d3a
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:618
--------------------------------------
0xffffffff85c25d43
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:618
--------------------------------------
0xffffffff85c25d4d
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:626
--------------------------------------
0xffffffff85c25d59
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:626
--------------------------------------
0xffffffff85c25d63
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:626
--------------------------------------
0xffffffff85c25d78
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:629
--------------------------------------
0xffffffff85c25df8
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:630
--------------------------------------
0xffffffff85c25dfd
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:630
--------------------------------------
0xffffffff85c25e0b
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:630
--------------------------------------
0xffffffff85c25e1c
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:630
--------------------------------------
0xffffffff85c25dff
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:631
--------------------------------------
0xffffffff85c25e04
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:631
--------------------------------------
0xffffffff85c25e1c
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:630
--------------------------------------
0xffffffff85c25dff
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:631
--------------------------------------
0xffffffff85c25e04
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:631
--------------------------------------
0xffffffff85c25e1c
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:630
--------------------------------------
0xffffffff85c25dff
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:631
--------------------------------------
0xffffffff85c25e04
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:631
--------------------------------------
0xffffffff85c25e1c
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:630
--------------------------------------
0xffffffff85c25e21
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:634
--------------------------------------
0xffffffff85c25e26
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:634
--------------------------------------
0xffffffff85c25d17
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:566
--------------------------------------
0xffffffff85c25d1c
netlbl_catmap_walk net/netlabel/netlabel_kapi.c:566
--------------------------------------
0xffffffff85328139
cipso_v4_genopt net/ipv4/cipso_ipv4.c:810
--------------------------------------
0xffffffff85328144
cipso_v4_genopt net/ipv4/cipso_ipv4.c:812
--------------------------------------
0xffffffff8532814c
cipso_v4_genopt net/ipv4/cipso_ipv4.c:815
--------------------------------------
0xffffffff85328151
cipso_v4_genopt net/ipv4/cipso_ipv4.c:815
--------------------------------------
0xffffffff8532815d
cipso_v4_genopt net/ipv4/cipso_ipv4.c:815
--------------------------------------
0xffffffff85328176
cipso_v4_genopt net/ipv4/cipso_ipv4.c:815
--------------------------------------
0xffffffff85328180
cipso_v4_genopt net/ipv4/cipso_ipv4.c:820
--------------------------------------
0xffffffff85328185
cipso_v4_genopt net/ipv4/cipso_ipv4.c:820
--------------------------------------
0xffffffff85328196
cipso_v4_genopt net/ipv4/cipso_ipv4.c:820
--------------------------------------
0xffffffff8532819b
cipso_v4_genopt net/ipv4/cipso_ipv4.c:822
--------------------------------------
0xffffffff853281a0
cipso_v4_genopt net/ipv4/cipso_ipv4.c:822
--------------------------------------
0xffffffff853281b6
cipso_v4_genopt net/ipv4/cipso_ipv4.c:822
--------------------------------------
0xffffffff853281c4
cipso_v4_genopt net/ipv4/cipso_ipv4.c:823
--------------------------------------
0xffffffff853280d9
cipso_v4_genopt net/ipv4/cipso_ipv4.c:827
--------------------------------------
0xffffffff853280de
cipso_v4_genopt net/ipv4/cipso_ipv4.c:827
--------------------------------------
0xffffffff853280eb
cipso_v4_genopt net/ipv4/cipso_ipv4.c:827
--------------------------------------
0xffffffff853280f8
cipso_v4_genopt net/ipv4/cipso_ipv4.c:829
--------------------------------------
0xffffffff853280fd
cipso_v4_genopt net/ipv4/cipso_ipv4.c:829
--------------------------------------
0xffffffff85c258b0
netlbl_bitmap_setbit net/netlabel/netlabel_kapi.c:927
--------------------------------------
0xffffffff85c258ce
netlbl_bitmap_setbit net/netlabel/netlabel_kapi.c:928
--------------------------------------
0xffffffff85c258e4
netlbl_bitmap_setbit net/netlabel/netlabel_kapi.c:929
--------------------------------------
0xffffffff85c258f2
netlbl_bitmap_setbit net/netlabel/netlabel_kapi.c:929
--------------------------------------
0xffffffff85c258f7
netlbl_bitmap_setbit net/netlabel/netlabel_kapi.c:930
--------------------------------------
0xffffffff85c258fc
netlbl_bitmap_setbit net/netlabel/netlabel_kapi.c:930 (Triggered a new impact: Constrained address write)
--------------------------------------
Total 159 basic block
Page updated
Google Sites
Report abuse