Impact
What kind of vulnerability is it? Who is impacted?
Falco communicates with its kernel module using some devices (eg. /dev/falco0) via IOCTLs. It was discovered that an IOCTL call with bogus data leads to a kernel panic due to memory corruption. Since Falco is a privileged application that interacts with those devices, this issue might allow for the escalation of privileges.
The issue was present in the Falco kernel module up to commit ID ec6b906fc5aae372b0d05107cd5dbe62f0b1eb42.
Only users using Falco versions before 0.18.0 with the kernel module are impacted.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been addressed by commit 5e47022 on Oct 8, 2019.
Users should upgrade to Falco 0.18.0 (which ships with a kernel module containing this patch) or later.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No workaround available, a version upgrade to Falco 0.18.0 or later is need.
References
Are there any links users can visit to find out more?
The affected source code can be found here:
|
if (copy_from_user(&pli, (void *)arg, sizeof(pli))) { |
|
memsize = sizeof(struct ppm_proclist_info) + sizeof(struct ppm_proc_info) * pli.max_entries; |
|
proclist_info = vmalloc(memsize); |
|
proclist_info->entries[nentries].utime = nsec_to_clock_t(utime); |
|
proclist_info->entries[nentries].stime = nsec_to_clock_t(stime); |
The fix made by commit 5e47022 sanitizes user input passed via pli.max_entries and makes sure all entries can fit into the allocated buffer.
For more information
If you have any questions or comments about this advisory:
leodido Analyst
Impact
What kind of vulnerability is it? Who is impacted?
Falco communicates with its kernel module using some devices (eg.
/dev/falco0) via IOCTLs. It was discovered that an IOCTL call with bogus data leads to a kernel panic due to memory corruption. Since Falco is a privileged application that interacts with those devices, this issue might allow for the escalation of privileges.The issue was present in the Falco kernel module up to commit ID
ec6b906fc5aae372b0d05107cd5dbe62f0b1eb42.Only users using Falco versions before 0.18.0 with the kernel module are impacted.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been addressed by commit 5e47022 on Oct 8, 2019.
Users should upgrade to Falco 0.18.0 (which ships with a kernel module containing this patch) or later.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No workaround available, a version upgrade to Falco 0.18.0 or later is need.
References
Are there any links users can visit to find out more?
The affected source code can be found here:
libs/driver/main.c
Line 652 in ee6b0c5
libs/driver/main.c
Lines 659 to 660 in ee6b0c5
libs/driver/main.c
Lines 699 to 700 in ee6b0c5
The fix made by commit 5e47022 sanitizes user input passed via
pli.max_entriesand makes sure all entries can fit into the allocated buffer.For more information
If you have any questions or comments about this advisory: