About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Heap buffer overflow in fs_context.c since version 5.1 - 767

WillsRoot - OssSecPosted 4 Years Ago
  • Within the legacy_parse_param function of the Linux kernel, there is an integer underflow in a verification for a bounds check. The verification can be found at here.
  • The bounds check is attempting to validate that the length is not larger than PAGE_SIZE - 2 - size where SIZE is a user controlled value. In this if statement, the size can be larger than PAGE_SIZE which leads to an integer underflow.
  • The underflow breaks the validation on the buffer being written to. As a result, an attacker can freely write data out of bounds linearly into this buffer. The authors wrote a LPE for exploiting this as well. They noted that although the CAP_SYS_ADMIN permission is required to exploit this bug, the permissions could be given in a namespace, allowing to call this vulnerable function.
  • The fix simply flips the math around to not include any subtractions. By doing this, the underflow on the verification is not possible. Any time there is weird math going on in a bounds check or length calculation, always check for overflows and underflows.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed