ASA-2018-00053 – Linux kernel: Integer overflow in queue_stack_map_alloc()


Allele Security Alert

ASA-2018-00053

Identifier(s)

ASA-2018-00053

Title

Integer overflow in queue_stack_map_alloc()

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel version 4.20-rc1

Fixed version(s)

Linux kernel version 4.20-rc5

Proof of concept

Yes

Description

There is an integer overflow in the bpf function queue_stack_map_alloc() that later leads to buffer overflow in Linux kernel version 4.20-rc1. This vulnerability can lead to privilege escalation.

Technical details

In the following code shows an integer overflow when calculating size = attr->max_entries + 1; size is used to calculate queue_size in line 72, and queue_size is used to malloc, if attr->max_entries is 0xffffffff, then size will be zero, which result in a smaller buffer allocated.

File: kernel/bpf/queue_stack_maps.c
---
static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr)
63 {
64 int ret, numa_node = bpf_map_attr_numa_node(attr);
65 struct bpf_queue_stack *qs;
66 u32 size, value_size;
67 u64 queue_size, cost;
68
69 size = attr->max_entries + 1;
70 value_size = attr->value_size;
71
72 queue_size = sizeof(*qs) + (u64) value_size * size;
73
74 cost = queue_size;
75 if (cost >= U32_MAX - PAGE_SIZE)
76 return ERR_PTR(-E2BIG);
77
78 cost = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT;
79
80 ret = bpf_map_precharge_memlock(cost);
81 if (ret < 0)
82 return ERR_PTR(ret);
83
84 qs = bpf_map_area_alloc(queue_size, numa_node);
...
---

Later in function queue_stack_map_push_elem() we can overflow this buffer with arbitrary length with user-controllable content.

File: kernel/bpf/queue_stack_maps.c
---
...
229 dst = &qs->elements[qs->head * qs->map.value_size];
230 memcpy(dst, value, qs->map.value_size);
...
---

Credits

Wei Wu

Reference(s)

[PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc.
https://marc.info/?l=linux-netdev&m=154290236228315&w=2

fwd: [vs-plain] Kernel heap overflow in bpf leading to LPE (exploit provided)
https://seclists.org/oss-sec/2018/q4/170

[PATCH bpf] bpf: fix integer overflow in queue_stack_map
https://marc.info/?l=linux-netdev&m=154291261031288&w=2

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=69500127424cd90ff2cf8191256b2ac3b0a4af56

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
https://github.com/torvalds/linux/commit/69500127424cd90ff2cf8191256b2ac3b0a4af56

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.