Allele Security Alert
ASA-2020-00038
Identifier(s)
ASA-2020-00038, CVE-2020-10942
Title
Memory corruption due to the lack of validation of an sk_family field in vhost subsystem
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel versions before 5.5.8
Linux kernel versions before 5.4.24
Linux kernel versions before 4.9.216
Linux kernel versions before 4.19.108
Linux kernel versions before 4.14.173
Linux kernel versions since the following commit:
vhost_net: a kernel-level virtio server
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3a4d5c94e959359ece6d6b55045c3f046677f55c
Fixed version(s)
Linux kernel version 5.5.8
Linux kernel version 5.4.24
Linux kernel version 4.9.216
Linux kernel version 4.19.108
Linux kernel version 4.14.173
Linux kernel versions since the following commit:
vhost: Check docket sk_family instead of call getname
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42d84c8490f9f0931786f1623191fcab397c3d64
Proof of concept
Yes
Description
In the Linux kernel, get_raw_socket() in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.
Technical details
There is no guarantee that getname use sockaddr_ll parameter beyond its size. It should do not do beyond MAX_ADDR_LEN, but syzbot found that ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25, versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index e158159671fa..18e205eeb9af 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -1414,10 +1414,6 @@ static int vhost_net_release(struct inode *inode, struct file *f) static struct socket *get_raw_socket(int fd) { - struct { - struct sockaddr_ll sa; - char buf[MAX_ADDR_LEN]; - } uaddr; int r; struct socket *sock = sockfd_lookup(fd, &r); @@ -1430,11 +1426,7 @@ static struct socket *get_raw_socket(int fd) goto err; } - r = sock->ops->getname(sock, (struct sockaddr *)&uaddr.sa, 0); - if (r < 0) - goto err; - - if (uaddr.sa.sll_family != AF_PACKET) { + if (sock->sk->sk_family != AF_PACKET) { r = -EPFNOSUPPORT; goto err; }
Credits
syzkaller
Reference(s)
vhost: Check docket sk_family instead of call getname
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42d84c8490f9f0931786f1623191fcab397c3d64
vhost: Check docket sk_family instead of call getname
https://github.com/torvalds/linux/commit/42d84c8490f9f0931786f1623191fcab397c3d64
vhost_net: a kernel-level virtio server
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3a4d5c94e959359ece6d6b55045c3f046677f55c
vhost_net: a kernel-level virtio server
https://github.com/torvalds/linux/commit/3a4d5c94e959359ece6d6b55045c3f046677f55c
Linux 5.5.8
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.8
Linux 5.4.24
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.24
Linux 4.9.216
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.216
Linux 4.19.108
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.108
Linux 4.14.173
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.173
Re: kernel panic: stack is corrupted in vhost_net_ioctl
https://lkml.org/lkml/2020/2/15/125
repro.c
https://syzkaller.appspot.com/x/repro.c?x=1135fa31e00000
CVE-2020-10942 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2020-10942
CVE-2020-10942
https://security-tracker.debian.org/tracker/CVE-2020-10942
https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10942.html
CVE-2020-10942 | SUSE
https://www.suse.com/security/cve/CVE-2020-10942
CVE-2020-10942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10942
CVE-2020-10942
https://nvd.nist.gov/vuln/detail/CVE-2020-10942
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 25, 2020