Linux Kernel Bug Lived for 8 Years

Wednesday, May 2, 2018 @ 01:05 PM gHale

There is an eight-year-old vulnerability in a driver that can be used for escalating privileges in the latest Linux Kernel version, researchers said.

The hole can offer a local user the potential to read from and write to kernel memory.

RELATED STORIES
Attack Group Targets Healthcare, Manufacturing
How to Start a Security Program
Pipeline Firms Hit; Gas Still Flowing
Cyber is ‘Core’ to Digital Future

The vulnerability, CVE 2018-8781, could end up leveraged escalate local privileges, said researchers at Check Point.

The bug is in the internal mmap() function defined in the fb_helper file operations of the “udl” driver of “DisplayLink” and researchers found it using a search.

Because drivers commonly implement their own version of file operation functions, they are prone to implementation errors, and the discovery of this vulnerability is proof of that.

In fact, there are various common vulnerabilities impacting drivers where the mmap() handler is used, such as lack of input validations and Integer-Overflows.

A classic driver should probably look like this:
1. The driver will hold an internal buffer that represents the shared memory region with the peripheral device.
2. The driver should only let the user access memory ranges that fall inside this buffer.

The prototype of the mmap() function includes numerous fields an attacker can control and developers should perform a series of checks and to avoid possible Integer-Overflows to eliminate issues.

A developer should perform the following checks, while trying to avoid possible Integer-Overflows, in order to avoid the pitfalls:
1. Region start: 0 <= offset < buffer’s end 2. Region end: buffer’s start <= offset + length <= buffer’s end 3. Region start <= Region End The researchers discovered the security flaw while taking a closer look at remap_pfn_range(), a function of high importance, because it maps physical memory pages to the user. The bug is a classic example for an Integer-Overflow: there’s an unsigned offset, thus the first check is skipped, and the calculation “offset + size,” however, can bypass the second check while still using an illegal “offset” value. As there are only 48 bits of accessible memory on 64-bit machines, the use of a huge “offset” to bypass the check requires making sure that “info->fix.smem_start + offset” will wrap-around to a valid mappable physical address, Check Point researchers said.

“While the vulnerability was found using a simple search, it was introduced to the kernel eight years ago. This fact can teach us that even on a popular open source project as the Linux Kernel, you could always hope to find vulnerabilities if you know where to search,” Check Point researchers said.



Leave a Reply

You must be logged in to post a comment.