Double free in DCCP module causing kernel panic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Hadar Manor |
Bug Description
The problem is when the sock object gets cloned via dccp_create_
it gives all its attributes to the child sock object, and no reference counter
is taken for the object dccps_hc_tx_ccid.
If one of the sock objects (the parent or the cahild) is closes or disconnected,
it frees the target objects dccps_hc_tx_ccid and provides us a dagling pointer in the other sock object.
This causes an exploitable double free for an object contains function pointers.
We can free dccps_hc_tx_ccid by calling connect(
then call close() we'll potentially have a RIP control.
This chunk of code is the responsible of freeing dccps_hc_tx_ccid, if called again it will call
ccid_hc_tx_exit() from a freed object
void ccid_hc_
{
if (ccid != NULL) {
if (ccid->
ccid-
kmem_
}
}
disassembly :
(gdb) disas ccid_hc_tx_delete
Dump of assembler code for function ccid_hc_tx_delete:
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
0xffffffff81
End of assembler dump.
CVE References
Changed in linux (Ubuntu): | |
assignee: | Hadar Manor (hadarm) → Thadeu Lima de Souza Cascardo (cascardo) |
Changed in linux (Ubuntu): | |
assignee: | Thadeu Lima de Souza Cascardo (cascardo) → Hadar Manor (hadarm) |
information type: | Private Security → Public Security |
Hey, is there anything new?