xorl %eax, %eax

CVE-2010-4082: Linux kernel VIAFB_GET_INFO IOCTL Infoleak

leave a comment »

This was one of the countless Linux kernel information leak vulnerabilities disclosed by Dan Rosenberg. The bug was pretty easy to spot and you could find it at drivers/video/via/ioctl.c like this:

int viafb_ioctl_get_viafb_info(u_long arg)
{
        struct viafb_ioctl_info viainfo;

        viainfo.viafb_id = VIAID;
        viainfo.vendor_id = PCI_VIA_VENDOR_ID;

        switch (viaparinfo->chip_info->gfx_chip_name) {
    ...
        if (copy_to_user((void __user *)arg, &viainfo, sizeof(viainfo)))
                return -EFAULT;

        return 0;
}

The problem is that the entire ‘viainfo’ structure is copied to the userspace using copy_to_user() but its “reserved” member which is a 246 Bytes array remains uninitialized. For completeness, here is the structure’s definition as seen at drivers/video/via/ioctl.h header file.

struct viafb_ioctl_info {
        u32 viafb_id;           /* for identifying viafb */
#define VIAID       0x56494146  /* Identify myself with 'VIAF' */
        u16 vendor_id;
        u16 device_id;
        u8 version;
        u8 revision;
        u8 reserved[246];       /* for future use */
};

Of course, the fix was to zero out this array before copying the data to user land.

        struct viafb_ioctl_info viainfo;
 
+       memset(&viainfo, 0, sizeof(struct viafb_ioctl_info));
+
        viainfo.viafb_id = VIAID;

At last, if we have a look at the IOCTL handler located at drivers/video/via/viafbdev.c we’ll see that this is reachable using the ‘VIAFB_GET_INFO’ command.

static int viafb_ioctl(struct fb_info *info, u_int cmd, u_long arg)
{
    ...
        switch (cmd) {
    ...
        case VIAFB_GET_INFO:
                return viafb_ioctl_get_viafb_info(arg);
    ...
        return 0;
}

Written by xorl

January 3, 2011 at 23:14

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s