Linux Broadcom 5820 Cryptonet Driver Integer Overflow
-----------------------------------------------------

Overview:

    There exists an integer overflow in the cryptonet driver.  A user supplied
value is used to size a dynamic buffer, and this buffer is subsequently filled
with user supplied data.  

Impact:
    
    Local DOS, and possible code execution depending on the location of the
    buffer in slab.  The Cryptonet driver is not distributed by default in all
    distributions.  I found it in the RedHat 8 2.4.20 sources, but not in
    Slackware 9.  If it is installed, you can find it in 
    /usr/src/linux/drivers/crypto/bcm/
      

Details:

    The ubsec_ioctl() function is used to setup various operating parameters
    for the device driver.  One of the commands is used to setup the key being
    used for encryption.  This occurs in the following code:

/drivers/crypto/bcm/dispatch.c, 196:

case UBSEC_KEY_SETUP_FUNC:
    status = ubsec_keysetup(DeviceInfoList[SelectedDevice].Context, (void *)arg);
    break;

which calls this function found in /drivers/crypto/bcm/pkey.c, 91:

int ubsec_keysetup(ubsec_DeviceContext_t pContext, ubsec_key_io_t *pKeyIOInfo)
{
    ...snip....

1]
  copy_from_user( &KeyIOInfoForDSA,pKeyIOInfo, sizeof(KeyIOInfoForDSA));

  if((KeyIOInfoForDSA.command == UBSEC_DSA_SIGN) || (KeyIOInfoForDSA.command == UBSEC_DSA_VERIFY)) {
    message_alignment = DSA_MESSAGE_ALIGNMENT;
2]
    add_dsa_buf_bytes = KeyIOInfoForDSA.key.DSAParams.InputFragments->FragmentLength + DSA_MESSAGE_ALIGNMENT;
  }
   
   .......

3]
  pkey_buf = (unsigned char *) kmalloc((4096+add_dsa_buf_bytes),GFP_KERNEL|GFP_ATOMIC);
  pCommandContext = (CommandContext_pt)pkey_buf;
  kcmd = (ubsec_KeyCommandInfo_pt) &pCommandContext[1];
  KeyIOInfo = (ubsec_key_io_pt)&kcmd[1];
  KeyLoc = ((unsigned char *)&KeyIOInfo[1]) + message_alignment;
  
4]
  copy_from_user( KeyIOInfo, pKeyIOInfo, sizeof(*KeyIOInfo));

   ...snip...
}

    The last argument passed to ubsec_keysetup() is the device specific user
    supplied argument to ioctl().  It is copied into the KeyIOInfoForDSA
    variable at 1], and then used to size the buffer at 2].  Now one of the
    things that doesn't make sense to me, is that at 2] when accessing the
    just copied in user structure, they are accessing a pointer embedded in
    the structure.  This pointer would point somewhere into userland, and from
    what I have learned so far about kernel programming, that would NOT be a
    valid pointer to just dereference?  I don't have this hardware, so I
    couldn't test this myself, but I was under the impression that code would
    fault, or perhaps access some random area of memory?  However, proceeding
    on regardless, that signed integer value is then added to 4096 at 3] when
    used to allocate the buffer.  Part of this buffer is then used at 4] when
    the same user structure from 1] is copied into an address further into the
    allocated buffer.  If a properly calculated negative value is used for the
    add_dsa_buf_bytes variable, an integer overflow will occur when allocating
    the buffer at 3].  The smallest sized buffer that can be allocated via
    kmalloc() is 32 on some platforms, and 64 on others.  Regardless of this,
    it is still possible to overflow the buffer at 4] because of the size of
    the structure being copied combined with the fact that we start copying
    from buffer base + 24(or greater on certain platforms) bytes into the
    allocated buffer.  Depending on the location of the allocated buffer in
    the cache slab, it may be possible to overwrite slab control structures
    and execute arbitrary code.  However, it is likely that we will be
    overwriting a piece of memory that belongs to someone else, and this may
    lead to system instability when that memory is accessed by whomever it
    belongs to.

Vendor Status:
   The vendor was not contacted.

Thanks:
   This bug and several others were found with the advanced, open source 
   auditing tool grep.

-- 
-sean