Double free in DCCP module causing kernel panic

Bug #1883840 reported by Hadar Manor
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Hadar Manor

Bug Description

The problem is when the sock object gets cloned via dccp_create_openreq_child(),
it gives all its attributes to the child sock object, and no reference counter
is taken for the object dccps_hc_tx_ccid.
If one of the sock objects (the parent or the cahild) is closes or disconnected,
it frees the target objects dccps_hc_tx_ccid and provides us a dagling pointer in the other sock object.
This causes an exploitable double free for an object contains function pointers.

We can free dccps_hc_tx_ccid by calling connect(AF_UNSPEC),then spray the heap with other allocations,
then call close() we'll potentially have a RIP control.

This chunk of code is the responsible of freeing dccps_hc_tx_ccid, if called again it will call
ccid_hc_tx_exit() from a freed object

void ccid_hc_tx_delete(struct ccid *ccid, struct sock *sk)
{
 if (ccid != NULL) {
  if (ccid->ccid_ops->ccid_hc_tx_exit != NULL)
   ccid->ccid_ops->ccid_hc_tx_exit(sk); // <-- Calling a function pointer
  kmem_cache_free(ccid->ccid_ops->ccid_hc_tx_slab, ccid);
 }
}

disassembly :

(gdb) disas ccid_hc_tx_delete
Dump of assembler code for function ccid_hc_tx_delete:
   0xffffffff81a7a3a0 <+0>: test rdi,rdi
   0xffffffff81a7a3a3 <+3>: je 0xffffffff81a7a3cd <ccid_hc_tx_delete+45>
   0xffffffff81a7a3a5 <+5>: push rbx
   0xffffffff81a7a3a6 <+6>: mov rbx,rdi
   0xffffffff81a7a3a9 <+9>: mov rdi,rsi
   0xffffffff81a7a3ac <+12>: mov rax,QWORD PTR [rbx]

   0xffffffff81a7a3af <+15>: mov rdx,QWORD PTR [rax+0x80] <— rax points to a freed object

   0xffffffff81a7a3b6 <+22>: test rdx,rdx
   0xffffffff81a7a3b9 <+25>: je 0xffffffff81a7a3c0 <ccid_hc_tx_delete+32>

   0xffffffff81a7a3bb <+27>: call rdx // <-- arbitrary call

   0xffffffff81a7a3bd <+29>: mov rax,QWORD PTR [rbx]
   0xffffffff81a7a3c0 <+32>: mov rsi,rbx
   0xffffffff81a7a3c3 <+35>: mov rdi,QWORD PTR [rax+0x18]
   0xffffffff81a7a3c7 <+39>: pop rbx
   0xffffffff81a7a3c8 <+40>: jmp 0xffffffff811fb980 <kmem_cache_free>
   0xffffffff81a7a3cd <+45>: repz ret
End of assembler dump.

CVE References

Revision history for this message
Hadar Manor (hadarm) wrote :
Changed in linux (Ubuntu):
assignee: nobody → Hadar Manor (hadarm)
summary: - Double free in DCCP module causing kernel panic
+ Double free in DCCP module causing kernel panic
Changed in linux (Ubuntu):
assignee: Hadar Manor (hadarm) → Thadeu Lima de Souza Cascardo (cascardo)
Hadar Manor (hadarm)
Changed in linux (Ubuntu):
assignee: Thadeu Lima de Souza Cascardo (cascardo) → Hadar Manor (hadarm)
Revision history for this message
Hadar Manor (hadarm) wrote :

Hey, is there anything new?

description: updated
Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

Hi, Hadar.

Does the following patch fix the issue from your side?

Thanks.
Cascardo.

Revision history for this message
Hadar Manor (hadarm) wrote :

Hey thank you for fixing!
How can I get CVE on this one?

Thank you Cascardo :)

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, please use CVE-2020-16119 for this issue. Thanks.

Revision history for this message
Hadar Manor (hadarm) wrote :

Hey,
I know the CVE number is reserved for now, there is already a patch - when the cve will be active?
Thank you.

Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1883840] Re: Double free in DCCP module causing kernel panic

On Wed, Sep 02, 2020 at 01:04:03AM -0000, Hadar Manor wrote:
> I know the CVE number is reserved for now, there is already a patch -
> when the cve will be active?

I can't give a strict timeline for that right now; it depends in part on
upstreak kernel community and in part upon our other work priorities. It's
probably 'weeks' but might happen sooner.

Thanks

Revision history for this message
Hadar Manor (hadarm) wrote :

Hey Seth,
thank you for the details
can you inform me when the CVE will be activated and also write my name on it?
Thank you very much!

Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

Hi, Hadar.

Can you let me know if the attribution on this patch is fine for you? We are still not close to disclosure, but I would like to have this patch ready as soon as possible.

Thank you very much.
Cascardo.

Revision history for this message
Hadar Manor (hadarm) wrote :

Hey Cascardo,
The patch is fine for me,
Thank you very much!

Revision history for this message
Hadar Manor (hadarm) wrote :

Hey,
is there anything new on the disclosure?
Thank you.

Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

Hi, Hadar. There are plans to get this public by October 13th.

Thanks.
Cascardo.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Hadar,

Specifically, we are proposing 17:00 UTC October 13th, 2020 as a disclosure date; however, we please ask that you delay publishing a PoC exploit for a few days to give people time to apply updates. We will make this bug report public one week after the embargo date, so October 20th, 2020.

Thanks again for the excellent report and your patience!

Revision history for this message
Hadar Manor (hadarm) wrote :

Hey,
Could you please can send me a link for the disclosure when it's out?
Thank you!

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Changed in linux (Ubuntu):
status: New → Fix Released
information type: Private Security → Public Security
Revision history for this message
Hadar Manor (hadarm) wrote :

Hey guys,
I know its been a while but you made a small mistake in :
https://ubuntu.com/security/CVE-2020-16119
and all other security notices that you mention me,
you wrote my name wrong my name is Hadar Manor and not 'Hador'.
I don't know if its a lot to ask but it would be nice if you will fix my name in the advisories to 'Hadar Manor'.
Thank you, and have a nice week :)

Revision history for this message
Seth Arnold (seth-arnold) wrote :
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Bug attachments