xorl %eax, %eax

Linux kernel Mylex DAC960 Driver Invalid Memory Access

leave a comment »

This was reported by Michael Buesch and it cannot be considered as a critical vulnerability since the attacker needs write access to DAC960’s procfs file (/proc/rd/cN/user_command). Nevertheless, here is the vulnerable code as seen in 2.6.30 release of the Linux kernel.

static int DAC960_ProcWriteUserCommand(struct file *file,
                                       const char __user *Buffer,
                                       unsigned long Count, void *Data)
{
  DAC960_Controller_T *Controller = (DAC960_Controller_T *) Data;
  unsigned char CommandBuffer[80];
  int Length;
  if (Count > sizeof(CommandBuffer)-1) return -EINVAL;
  if (copy_from_user(CommandBuffer, Buffer, Count)) return -EFAULT;
  CommandBuffer[Count] = '';
  Length = strlen(CommandBuffer);
  if (CommandBuffer[Length-1] == '\n')
    CommandBuffer[--Length] = '';
  if (Controller->FirmwareType == DAC960_V1_Controller)
    return (DAC960_V1_ExecuteUserCommand(Controller, CommandBuffer)
            ? Count : -EBUSY);
  else
    return (DAC960_V2_ExecuteUserCommand(Controller, CommandBuffer)
            ? Count : -EBUSY);
}

As you can read, ‘Length’ is initialized with the strlen() (meaning the string’s length not including the NULL termination) and then it attempts to access CommandBuffer[Length-1] to check if there is a ‘\n’ character there. However, if the user wrote an empty string to that file (meaning it is just a single NULL byte) it will attempt to access CommandBuffer[-1] and if it happens that there is an ‘\n’ it will write a NULL byte there. To fix this the following patch was applied:

   Length = strlen(CommandBuffer);
-  if (CommandBuffer[Length-1] == '\n')
+  if (Length > 0 && CommandBuffer[Length-1] == '\n')
     CommandBuffer[--Length] = '';

Written by xorl

July 19, 2009 at 16:18

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s