-
-
Notifications
You must be signed in to change notification settings - Fork 497
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Arbitrary memory write in sock_udp_recv #310
Comments
Notably, the function that should have been doing this is here: Line 283 in 28190ad
Use of ICMP sockets should have the same issue as well, but without much useful control. |
Fixes issue klange#310
PR #311 fixes the previous bug. Race condition bug in In To fix this issue, the user |
Thanks for the PR, I'll take a look at it after my New Year's obligations have concluded in a few days.
Normally, such a copy process would involve dedicated from-user and to-user functions that also ensure that the relevant memory isn't being unmapped on another core while the kernel accesses it. Unfortunately, the infrastructure for this was never implemented in Misaka. If there is a desire to tackle the many TOCTOU vulnerabilities introduced with SMP support, the groundwork needs to be laid first. I don't believe this would be a particularly large project - these are already well-studied and solved problems in real-world operating systems, and anyone familiar with the mechanisms employed by Linux and the BSDs could probably build something similar for Misaka. |
The
msg->msg_name
pointer is not validated insock_udp_recv
function. An attacker can provide arbitrary kernel address (no KASLR) tomsg->msg_name
and the value ofudp_packet->source_port
will be written to the specified memory, value ofsource_port
is user controllable by binding a UDP socket to a specific port number from 0 to 0xffff.With this 2 byte arbitrary write an attacker can carefully overwrite kernel memory (kernel code or a structure) to achieve local privilege escalation.
POC to overwrite kernel code:
The text was updated successfully, but these errors were encountered: