Allele Security Alert
ASA-2018-00053
Identifier(s)
ASA-2018-00053
Title
Integer overflow in queue_stack_map_alloc()
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel version 4.20-rc1
Fixed version(s)
Linux kernel version 4.20-rc5
Proof of concept
Yes
Description
There is an integer overflow in the bpf function queue_stack_map_alloc() that later leads to buffer overflow in Linux kernel version 4.20-rc1. This vulnerability can lead to privilege escalation.
Technical details
In the following code shows an integer overflow when calculating size = attr->max_entries + 1; size is used to calculate queue_size in line 72, and queue_size is used to malloc, if attr->max_entries is 0xffffffff, then size will be zero, which result in a smaller buffer allocated.
File: kernel/bpf/queue_stack_maps.c --- static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr) 63 { 64 int ret, numa_node = bpf_map_attr_numa_node(attr); 65 struct bpf_queue_stack *qs; 66 u32 size, value_size; 67 u64 queue_size, cost; 68 69 size = attr->max_entries + 1; 70 value_size = attr->value_size; 71 72 queue_size = sizeof(*qs) + (u64) value_size * size; 73 74 cost = queue_size; 75 if (cost >= U32_MAX - PAGE_SIZE) 76 return ERR_PTR(-E2BIG); 77 78 cost = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT; 79 80 ret = bpf_map_precharge_memlock(cost); 81 if (ret < 0) 82 return ERR_PTR(ret); 83 84 qs = bpf_map_area_alloc(queue_size, numa_node); ... ---
Later in function queue_stack_map_push_elem() we can overflow this buffer with arbitrary length with user-controllable content.
File: kernel/bpf/queue_stack_maps.c
---
...
229 dst = &qs->elements[qs->head * qs->map.value_size];
230 memcpy(dst, value, qs->map.value_size);
...
---
Credits
Wei Wu
Reference(s)
[PATCH bpf] bpf: Fix integer overflow in queue_stack_map_alloc.
https://marc.info/?l=linux-netdev&m=154290236228315&w=2
fwd: [vs-plain] Kernel heap overflow in bpf leading to LPE (exploit provided)
https://seclists.org/oss-sec/2018/q4/170
[PATCH bpf] bpf: fix integer overflow in queue_stack_map
https://marc.info/?l=linux-netdev&m=154291261031288&w=2
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=69500127424cd90ff2cf8191256b2ac3b0a4af56
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
https://github.com/torvalds/linux/commit/69500127424cd90ff2cf8191256b2ac3b0a4af56
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 10, 2019