Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rtl8139 Network Card Driver Out-of-bounds Read #348

Closed
lrapp-x41-pub opened this issue Jan 26, 2022 · 1 comment
Closed

rtl8139 Network Card Driver Out-of-bounds Read #348

lrapp-x41-pub opened this issue Jan 26, 2022 · 1 comment
Assignees
@mkroening

Comments

@lrapp-x41-pub
Copy link

lrapp-x41-pub commented Jan 26, 2022
edited

The rtl8139 network card driver contains an out-of-bounds read vulnerability inside the receive_rx_buffer() function which parses the packet coming from the network card firmware.
The problem is that the length value read from the packet length field is blindly trusted without any further checks.
https://github.com/hermitcore/libhermit-rs/blob/f5408c23771eb37f0be57986db19ca9d0d290cf7/src/drivers/net/rtl8139.rs#L274-L275
A corrupted (the CRC is never checked!) or actively manipulated length value would cause the function to return a slice which contains bytes that do not belong to the packet payload anymore. As the length is not restricted to the ring buffer size this does not only affect the other network packages inside the ring buffer, but also the bytes placed in the memory behind the ring buffer.
https://github.com/hermitcore/libhermit-rs/blob/f5408c23771eb37f0be57986db19ca9d0d290cf7/src/drivers/net/rtl8139.rs#L278-L284
In order to exploit the vulnerability, an attacker would have to control the package’s length field and thus the (emulated) rtl8139 on-chip firmware, which is relatively unlikely (if the attacker controls the host, we are lost anyway). Nevertheless an exploit for this vulnerability could be chained with other potential exploits and should be fixed for an in-depth security approach.
@mkroening mkroening self-assigned this Feb 5, 2022
@mkroening mkroening mentioned this issue Feb 6, 2022
Merged
bors bot added a commit that referenced this issue Feb 7, 2022
@bors @mkroening
Merge #356
4b95648 
356: RTL: RAII buffers r=stlankes a=mkroening

This addresses #348.

I replaced the manual pointer arithmetic with boxed slices which contain bounds checks (no unsafe code accessing the buffers in the driver now). Now reading outside the buffers through manipulated lengths should be impossible. It is still possible to access the other network packages in the buffers. I am not sure about the architecture of the network driver and where to get the corresponding lengths from, which might or might not require a bigger rework.

`@lrapp-x41-pub,` would you consider this enough for closing #348 or would that require to properly avoid accessing all of the buffer?

While working on this I found #355.

Co-authored-by: Martin Kröning <mkroening@posteo.net>
@lrapp-x41-pub
Copy link
Author

Closed by #356

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mkroening mkroening

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mkroening @lrapp-x41-pub