Bug 2218944 (CVE-2023-3773) - CVE-2023-3773 kernel: xfrm: out-of-bounds read of XFRMA_MTIMER_THRESH nlattr
Summary: CVE-2023-3773 kernel: xfrm: out-of-bounds read of XFRMA_MTIMER_THRESH nlattr
Keywords:
Status: NEW
Alias: CVE-2023-3773
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2218949 2218950 2224005 2224006 2225630
Blocks: 2219629
TreeView+ depends on / blocked
 
Reported: 2023-06-30 16:47 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-11-09 07:11 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to cause a 4 byte out-of-bounds read of XFRMA_MTIMER_THRESH when parsing netlink attributes, leading to potential leakage of sensitive heap data to userspace.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6835 0 None None None 2023-11-09 07:11:04 UTC
Red Hat Product Errata RHSA-2023:6583 0 None None None 2023-11-07 08:20:40 UTC

Description Guilherme de Almeida Suckevicz 2023-06-30 16:47:57 UTC 
========== 2. OOB read of XFRMA_MTIMER_THRESH nlattr ==========

[require privilege]: CAP_NET_ADMIN

[effects]: information leak

[crash stack]:
Interesting enough as this OOB read will not be detected by KASan (perhaps why this bug is not detected by the fuzzer), see the details below.

[buggy commit]:
4e484b3e969b ("xfrm: rate limit SA mapping change message to user space")

[root cause]:
The mentioned commit above added one additional attribute named XFRMA_MTIMER_THRESH and described its type at compat_policy (net/xfrm/xfrm_compat.c). However, the author forgot to also describe it at xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4 bytes) value can be faked as empty (0 bytes) by a malicious user, which lead to 4 bytes overflow read when parsing nlattrs. 

The overall buffer skb is created at netlink_sendmsg(...). According to the code, it will add another 0x140 skb_shared_info data behind the skb data so this OOB will not be detected by KASan. 

To exploit this (see PoC part), one malicious user can spray the SLUB objects and then leverage this 4 bytes OOB read to leak the heap data into x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to userspace via copy_to_user_state_extra(...).

[PoC code]:
see attachment poc2.c. I have tested it in latest Linux with QEMU. (no effects in ubuntu thanks to CONFIG_INIT_ON_ALLOC_DEFAULT_ON)


[suggest fix]:
Just add the type description like below

@@ -3035,6 +3035,7 @@ const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
        [XFRMA_SET_MARK]        = { .type = NLA_U32 },
        [XFRMA_SET_MARK_MASK]   = { .type = NLA_U32 },
        [XFRMA_IF_ID]           = { .type = NLA_U32 },
+       [XFRMA_MTIMER_THRESH]   = { .type = NLA_U32 },
 };
Comment 8 Mauro Matteo Cascella 2023-07-25 15:24:47 UTC 
Upstream patch:
https://lore.kernel.org/all/20230723074110.3705047-1-linma@zju.edu.cn/T/#u
Comment 9 Mauro Matteo Cascella 2023-07-25 15:25:57 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2225630]
Comment 10 Justin M. Forbes 2023-09-25 16:40:02 UTC 
This was fixed for Fedora with the 6.4.12 stable kernel updates.
Comment 11 errata-xmlrpc 2023-11-07 08:20:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583
Note You need to log in before you can comment on or make changes to this bug.