Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CodeQL is a querying language used for Code. When analyzing large code bases, such as the Linux kernel, this can be used to learn about the code base or attempt to find very specific vulnerabilities.

The author checked for all occurrences of a 16-bit number being passed to kmalloc, the function for allocating memory dynamically. This is because it is easier to overflow a buffer with a 16-bit number compared to a 32 or 64-bit size.

The initial query returned 60 results. From further analysis, a single path stood out. A function was parsing user controlled data without validating the size of the message what-so-ever when doing the write. This smells like a buffer overflow but triggering bugs is never this simple.

Transparent Inter-Process Communication (TIPC) is a protocol that allows nodes in a cluster to communicate with each other. The protocol is implemented in a kernel module packaged with all major Linux distributions. It can be configured over the top of Ethernet or UDP.

The code path was for handling this was found to be exploitable via message type of MSG_CRYPTO. The header size and message size are both validated against the packet size. However, the vulnerability occurs because the keylen field is not compared against the message size.

In practice, this means that an attacker can create a packet with a small body size to allocate heap memory, and then use an arbitrary size in the keylen attribute to write outside the bounds of this location. This bug can be triggered locally or remotely.

The write is interesting since it happens prior to the validation. If the validation is hit, then the program exits. To exploit this, the overflow of the heap buffer could exploit things around it. If you want to continue with the current though path, only a 10 byte overflow is possible to use.

The patch moves the validation of the size before the write occurs. Additionally, an integer overflow check and minimum packet size validation were added.

CodeQL does not find bugs by itself. However, it drastically helps in the discovery of the bugs. This was a great case of looking for a bug class and finding it via CodeQL. Good find!