xorl %eax, %eax

CVE-2011-1598: Linux kernel CAN/BCM Socket NULL Pointer Dereference

with 4 comments

This one was reported by Dave Jones and the susceptible code is available in the net/can/bcm.c file.

/*
 * standard socket functions
 */
static int bcm_release(struct socket *sock)
{
        struct sock *sk = sock->sk;
        struct bcm_sock *bo = bcm_sk(sk);
        struct bcm_op *op, *next;

        /* remove bcm_ops, timer, rx_unregister(), etc. */

        unregister_netdevice_notifier(&bo->notifier);
  ...
        release_sock(sk);
        sock_put(sk);

        return 0;
}

In its very beginning it initializes ‘bo’ pointer using bcm_sk() in order to cast the socket pointer.

struct bcm_sock {
        struct sock sk;
        int bound;
        int ifindex;
        struct notifier_block notifier;
        struct list_head rx_ops;
        struct list_head tx_ops;
        unsigned long dropped_usr_msgs;
        struct proc_dir_entry *bcm_proc_read;
        char procname [32]; /* inode number in decimal with \0 */
};

static inline struct bcm_sock *bcm_sk(const struct sock *sk)
{
        return (struct bcm_sock *)sk;
}

However, the ‘sock->sk’ can be NULL and thus the subsequent operations on ‘bo’ pointer will result in a NULL pointer dereference. The fix to this bug was to add the missing check as shown below.

 	struct sock *sk = sock->sk;
-	struct bcm_sock *bo = bcm_sk(sk);
+	struct bcm_sock *bo;
 	struct bcm_op *op, *next;

+	if (sk == NULL)
+		return 0;
+
+	bo = bcm_sk(sk);
+
 	/* remove bcm_ops, timer, rx_unregister(), etc. */

Written by xorl

April 28, 2011 at 19:39

Posted in bugs, linux

4 Responses

Subscribe to comments with RSS.

  1. xorl, could you write a post or comment on how to track such bugs on *nix? I’ve found this one here: http://permalink.gmane.org/gmane.linux.network/192898
    But how to keep an eye on all found bugs? Some RSS or mailing list that covers all of them? Thanks!

    toast

    April 29, 2011 at 12:14

  2. I do not have any specific methodology. I use all kinds of resources. From mailing lists the most interesting ones I can recall are:
    – oss-security
    – lkml
    – freebsd-bugs
    – openbsd-misc
    – bugtraq
    – full-disclosure

    Now, one of the best things is to simply read the ChangeLogs of the software you are interested in.

    Of course, there are also many many websites with published vulnerabilities including:
    – securityfocus
    – secunia
    – idefense

    Also, there are numerous security people having blogs and websites which is also a good resource for such information.

    xorl

    April 29, 2011 at 15:40

  3. Hey, so it’s exploitable?

    im

    July 19, 2011 at 22:59

  4. I haven’t attempted to exploit this. Consequently, I don’t know if it is exploitable or not.

    xorl

    July 20, 2011 at 20:23


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s