ASA-2020-00038 – Linux kernel: Memory corruption due to the lack of validation of an sk_family field in vhost subsystem


Allele Security Alert

ASA-2020-00038

Identifier(s)

ASA-2020-00038, CVE-2020-10942

Title

Memory corruption due to the lack of validation of an sk_family field in vhost subsystem

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 5.5.8
Linux kernel versions before 5.4.24
Linux kernel versions before 4.9.216
Linux kernel versions before 4.19.108
Linux kernel versions before 4.14.173

Linux kernel versions since the following commit:

vhost_net: a kernel-level virtio server
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3a4d5c94e959359ece6d6b55045c3f046677f55c

Fixed version(s)

Linux kernel version 5.5.8
Linux kernel version 5.4.24
Linux kernel version 4.9.216
Linux kernel version 4.19.108
Linux kernel version 4.14.173

Linux kernel versions since the following commit:

vhost: Check docket sk_family instead of call getname
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42d84c8490f9f0931786f1623191fcab397c3d64

Proof of concept

Yes

Description

In the Linux kernel, get_raw_socket() in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.

Technical details

There is no guarantee that getname use sockaddr_ll parameter beyond its size. It should do not do beyond MAX_ADDR_LEN, but syzbot found that ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25, versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index e158159671fa..18e205eeb9af 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -1414,10 +1414,6 @@ static int vhost_net_release(struct inode *inode, struct file *f)

static struct socket *get_raw_socket(int fd)
{
-    struct {
-        struct sockaddr_ll sa;
-        char buf[MAX_ADDR_LEN];
-    } uaddr;
     int r;
     struct socket *sock = sockfd_lookup(fd, &r);

@@ -1430,11 +1426,7 @@ static struct socket *get_raw_socket(int fd)
         goto err;
     }

-    r = sock->ops->getname(sock, (struct sockaddr *)&uaddr.sa, 0);
-    if (r < 0)
-        goto err;
-
-     if (uaddr.sa.sll_family != AF_PACKET) {
+     if (sock->sk->sk_family != AF_PACKET) {
         r = -EPFNOSUPPORT;
         goto err;
}

Credits

syzkaller

Reference(s)

vhost: Check docket sk_family instead of call getname
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42d84c8490f9f0931786f1623191fcab397c3d64

vhost: Check docket sk_family instead of call getname
https://github.com/torvalds/linux/commit/42d84c8490f9f0931786f1623191fcab397c3d64

vhost_net: a kernel-level virtio server
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3a4d5c94e959359ece6d6b55045c3f046677f55c

vhost_net: a kernel-level virtio server
https://github.com/torvalds/linux/commit/3a4d5c94e959359ece6d6b55045c3f046677f55c

Linux 5.5.8
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.5.8

Linux 5.4.24
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.4.24

Linux 4.9.216
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.216

Linux 4.19.108
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.108

Linux 4.14.173
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.173

Re: kernel panic: stack is corrupted in vhost_net_ioctl
https://lkml.org/lkml/2020/2/15/125

repro.c
https://syzkaller.appspot.com/x/repro.c?x=1135fa31e00000

CVE-2020-10942 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2020-10942

CVE-2020-10942
https://security-tracker.debian.org/tracker/CVE-2020-10942

CVE-2020-10942 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2020-10942.html

CVE-2020-10942 | SUSE
https://www.suse.com/security/cve/CVE-2020-10942

CVE-2020-10942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10942

CVE-2020-10942
https://nvd.nist.gov/vuln/detail/CVE-2020-10942

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 25, 2020

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.