xorl %eax, %eax

Linux kernel SysKonnect FDDI PCI driver Inverted Logic Flaw

leave a comment »

This is the last fix from 2.6.28.6’s changelog that I found interesting. This was reported to the Linux kernel developers on 28 January 2009 by Roel Kluin and patched on 2.6.28.6. The vulnerability can be found at drivers/net/skfp/skfddi.c where the SysKonnect FDDI (SKFDDI) driver is located. The following code is taken from Linux kernel 2.6.28.5 release. Here is the vulnerable function:

static int skfp_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
{
     ...
        skfddi_priv *lp = &smc->os;
     ...
        if (copy_from_user(&ioc, rq->ifr_data, sizeof(struct s_skfp_ioctl)))
     ...
        switch (ioc.cmd) {
     ...
         case SKFP_CLR_STATS:    /* Zero out the driver statistics */
                 if (!capable(CAP_NET_ADMIN)) {
                         memset(&lp->MacStat, 0, sizeof(lp->MacStat));
                 } else {
                         status = -EPERM;
                 }
     ...
        return status;
}

Here in other words it says.. If the user requested SKFTP_CLR_STATS IOCTL and if this user hasn’t the network administration capability (CAP_NET_ADMIN) enabled, then zero out the driver statistics, in any other case return permission denied. Because of this, unprivileged users might be able to erase this driver’s statistics and on the other hand, superuser can’t! Of course the fix of this bug was fairly trivial:

         if (!capable(CAP_NET_ADMIN)) {
-            memset(&lp->MacStat, 0, sizeof(lp->MacStat));
-        } else {
             status = -EPERM;
+        } else {
+            memset(&lp->MacStat, 0, sizeof(lp->MacStat));
         }

Written by xorl

February 19, 2009 at 15:40

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s