Disclosure
| Date | Detail |
|---|---|
04/23/2018 |
reported to Samsung |
08/01/2018 |
vulnerabilities confirmed and assigned SVE-2018-11784, rated Low |
08/02/2018 |
assigned CVE-2018-14852 |
12/07/2018 |
CVE description published https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-14852 |
Affected Product
Samsung Galaxy S6 (SM-G920F), Firmware Version G920FXXU5EQH7
Vulnerabilities
Multiple potential buffer overflos in drivers/net/wireless/bcmdhd4358/dhd_linux.c:2885, drivers/net/wireless/bcmdhd4358/dhd_linux.c:2946 and drivers/net/wireless/bcmdhd4358/dhd_linux.c:3149
2881
2882 pnext = PKTNEXT(dhdp->osh, pktbuf);
2883 PKTSETNEXT(dhdp->osh, pktbuf, NULL);
2884
2885 ifp = dhd->iflist[ifidx];
2886 if (ifp == NULL) {
2887 DHD_ERROR(("%s: ifp is NULL. drop packet\n",
2888 __FUNCTION__));
2889 PKTCFREE(dhdp->osh, pktbuf, FALSE);
2890 continue;
2891 }
2892
2944 skb = PKTTONATIVE(dhdp->osh, pktbuf);
2945
2946 ifp = dhd->iflist[ifidx];
2947 if (ifp == NULL)
2948 ifp = dhd->iflist[0];
2949
2950 ASSERT(ifp);
2951 skb->dev = ifp->net;
3147
3148 ASSERT(ifidx < DHD_MAX_IFS && dhd->iflist[ifidx]);
3149 ifp = dhd->iflist[ifidx];
3150
3151 if (ifp->net)
3152 ifp->net->last_rx = jiffies;
3153
Analysis
In line drivers/net/wireless/bcmdhd4358/dhd_msgbuf.c:2887 below, the value of ifidx is initialized by reading from memory that can be modified by the attacker on WiFi SoC.
2820 static void BCMFASTPATH
2821 dhd_prot_rxcmplt_process(dhd_pub_t *dhd, void* buf, uint16 msglen)
2822 {
2823 host_rxbuf_cmpl_t *rxcmplt_h;
2824 uint16 data_offset; /* offset at which data starts */
2825 void * pkt;
2826 unsigned long flags;
2827 static uint8 current_phase = 0;
2828 uint ifidx;
2829 uint32 pktid;
2830
2831 /* RXCMPLT HDR */
2832 rxcmplt_h = (host_rxbuf_cmpl_t *)buf;
2833
2834 /* Post another set of rxbufs to the device */
2835 dhd_prot_return_rxbuf(dhd, 1);
2836
2837 pktid = ltoh32(rxcmplt_h->cmn_hdr.request_id);
2838
2839 #if defined(DHD_PKTID_AUDIT_RING)
2840 DHD_PKTID_AUDIT(dhd->prot->pktid_map_handle, pktid,
2841 DHD_DUPLICATE_FREE);
2842 #endif /* DHD_PKTID_AUDIT_RING */
2843
2844 /* offset from which data starts is populated in rxstatus0 */
2845 data_offset = ltoh16(rxcmplt_h->data_offset);
2846
2847 DHD_GENERAL_LOCK(dhd, flags);
2848 pkt = dhd_prot_packet_get(dhd, pktid, BUFF_TYPE_DATA_RX);
...
2884 /* Actual length of the packet */
2885 PKTSETLEN(dhd->osh, pkt, ltoh16(rxcmplt_h->data_len));
2886
2887 ifidx = rxcmplt_h->cmn_hdr.if_id;
2888
Kernel-Trace
[ 431.696798] ------------[ cut here ]------------
[ 431.696812] Kernel BUG at ffffffc000833898 [verbose debug info unavailable]
[ 431.696827] Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP
[ 431.696844] Modules linked in:
[ 431.696860] exynos-snapshot: core register saved(CPU:0)
[ 431.696873] CPUMERRSR: 0000000000000000, L2MERRSR: 0000000000000000
[ 431.696886] exynos-snapshot: context saved(CPU:0)
[ 431.696961] exynos-snapshot: item - log_kevents is disabled
[ 431.697016] CPU: 0 PID: 5525 Comm: dmesg Tainted: G W 3.10.61-TeamNexus-gb11c661e30ff-dirty #892
[ 431.697035] task: ffffffc089776180 ti: ffffffc07dfb0000 task.ti: ffffffc07dfb0000
[ 431.697064] PC is at dhd_rx_frame+0x180/0x9f0
[ 431.697078] LR is at dhd_rx_frame+0x180/0x9f0
[ 431.697094] pc : [<ffffffc000833898>] lr : [<ffffffc000833898>] pstate: 40000045
[ 431.697107] sp : ffffffc07dfb3a10
[ 431.697120] x29: ffffffc07dfb3a10 x28: 00000000fa49a040
[ 431.697137] x27: 2f6d65747379732f x26: 0000000000000000
[ 431.697151] x25: 0000000000000011 x24: 0000000000000000
[ 431.697164] x23: 0000000000000000 x22: 0000000000000001
[ 431.697177] x21: ffffffc067aefa00 x20: ffffffc095d90000
[ 431.697191] x19: ffffffc095d90000 x18: 000000000000000a
[ 431.697205] x17: 0000007f98d57dd4 x16: 0000007f98e00000
[ 431.697218] x15: 0000000000000001 x14: 0000000000000002
[ 431.697231] x13: 0000000000001595 x12: 0000000000000004
[ 431.697245] x11: ffffffc081a324ee x10: ffffffc001a32504
[ 431.697258] x9 : ffffffffffffffff x8 : 3733373437353664
[ 431.697272] x7 : 3666322070666920 x6 : ffffffc001a3252e
[ 431.697285] x5 : 00000000000000c0 x4 : 0000000000000007
[ 431.697298] x3 : 0000000000000000 x2 : 0000000000000000
[ 431.697312] x1 : ffffffc001c3ccf0 x0 : ffffffc0484e2fc0
[ 431.697328]
[ 431.697328] PC: 0xffffffc000833818:
[ 431.697348] 3818 97ea8ae4 52810101 900037e0 913d2000 d280001a 9b217f21 910fc000 f9003ba1
[ 431.697374] 3838 91401661 52800017 f9003fa1 52800018 8b39ce61 b90083bf a90983bf f90057a1
[ 431.697397] 3858 97ea8ad4 f94057a2 2a1903e1 f94002a0 f90002bf f90037a0 b00067c0 f957945b
[ 431.697420] 3878 91330000 9418cc5c b00067c0 aa1b03e1 91338000 9418cc58 b40041fb 97ea8ac5
[ 431.697443] 3898 f940077b b40000bb 97ea8ac2 394ee360 7100041f 54000120 97ea8abe f9406ea0
[ 431.697466] 38b8 79401800 53087c01 2a002020 128ef261 6b20a03f 54004141 f9002fbc 97ea8ab5
[ 431.697489] 38d8 aa1503e1 aa1403e0 97ffcc1c f9400280 aa1503e1 94004f19 aa0003fb f94057a0
[ 431.697511] 38f8 f9579400 f9004ba0 b4000c40 97ea8aa9 f9404bbc f9403ba1 f9400780 f9001360
[ 431.697537]
[ 431.697537] LR: 0xffffffc000833818:
[ 431.697556] 3818 97ea8ae4 52810101 900037e0 913d2000 d280001a 9b217f21 910fc000 f9003ba1
[ 431.697578] 3838 91401661 52800017 f9003fa1 52800018 8b39ce61 b90083bf a90983bf f90057a1
[ 431.697600] 3858 97ea8ad4 f94057a2 2a1903e1 f94002a0 f90002bf f90037a0 b00067c0 f957945b
[ 431.697623] 3878 91330000 9418cc5c b00067c0 aa1b03e1 91338000 9418cc58 b40041fb 97ea8ac5
[ 431.697645] 3898 f940077b b40000bb 97ea8ac2 394ee360 7100041f 54000120 97ea8abe f9406ea0
[ 431.697668] 38b8 79401800 53087c01 2a002020 128ef261 6b20a03f 54004141 f9002fbc 97ea8ab5
[ 431.697690] 38d8 aa1503e1 aa1403e0 97ffcc1c f9400280 aa1503e1 94004f19 aa0003fb f94057a0
[ 431.697713] 38f8 f9579400 f9004ba0 b4000c40 97ea8aa9 f9404bbc f9403ba1 f9400780 f9001360
[ 431.697738]
[ 431.697738] SP: 0xffffffc07dfb3990:
[ 431.697758] 3990 95d90000 ffffffc0 67aefa00 ffffffc0 00000001 00000000 00000000 00000000
[ 431.697779] 39b0 00000000 00000000 00000011 00000000 00000000 00000000 7379732f 2f6d6574
[ 431.697801] 39d0 fa49a040 00000000 7dfb3a10 ffffffc0 00833898 ffffffc0 7dfb3a10 ffffffc0
[ 431.697823] 39f0 00833898 ffffffc0 40000045 00000000 01a32522 ffffffc0 665f7872 656d6172
[ 431.697847] 3a10 7dfb3b30 ffffffc0 008a6bf4 ffffffc0 00000011 00000000 67aefa00 ffffffc0
[ 431.697869] 3a30 00000001 00000000 b1c0a000 ffffffc0 01cbb000 ffffffc0 00000000 00000000
[ 431.697892] 3a50 00000040 00000000 00000000 00000000 00001000 00000000 000000c0 00000000
[ 431.697914] 3a70 01a3252c ffffffc0 00000000 00000000 00008888 00000000 95d95000 ffffffc0
[ 431.697939]
[ 431.697939] X0: 0xffffffc0484e2f40:
[ 431.697959] 2f40 00000000 00000000 06c34000 ffffff80 00002000 00000000 0000000a 00000000
[ 431.697981] 2f60 484e28c0 ffffffc0 00000001 00000000 00000000 00000000 002d68e8 ffffffc0
[ 431.698004] 2f80 000001dc 000001dc 00000000 00000000 00000000 00000000 00000200 dead0000
[ 431.698027] 2fa0 6c8d6720 ffffffc0 00000000 00000000 00000000 00000000 07f7d9ff 00000000
[ 431.698049] 2fc0 00000002 00030003 00000002 00002000 0000ffff 00000000 06c36000 ffffff80
[ 431.698072] 2fe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.698095] 3000 01db07f0 ffffffbc 484e3750 ffffffc0 5ed16800 ffffffc0 00002019 00000000
[ 431.698118] 3020 00000000 00000000 7b737bc0 ffffffc0 003a30c0 ffffffc0 00000100 dead0000
[ 431.698143]
[ 431.698143] X1: 0xffffffc001c3cc70:
[ 431.698162] cc70 b890b400 ffffffc0 00000000 00000000 b890b500 ffffffc0 00000000 00000000
[ 431.698185] cc90 b890b300 ffffffc0 00000000 00000000 b890b100 ffffffc0 00000000 00000000
[ 431.698208] ccb0 b890b600 ffffffc0 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.698231] ccd0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.698253] ccf0 484e2fc0 ffffffc0 00000000 00000000 06c36000 ffffff80 484e2000 ffffffc0
[ 431.698277] cd10 06c34000 ffffff80 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.698299] cd30 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.698322] cd50 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.698349]
[ 431.698349] X6: 0xffffffc001a324ae:
[ 431.698368] 24ac 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.698390] 24cc 00000000 00000000 00000000 00000001 00000000 30303020 32303330 39333830
[ 431.698412] 24ec 20205d32 203a305b 20202020 20202020 656d6420 203a6773 35323535 3432205d
[ 431.698435] 250c 33206330 39362e31 39343338 5b49205d 20203a30 20202020 20202020 73656d64
[ 431.698457] 252c 35203a67 5d353235 3a365820 66783020 66666666 30306366 32336131 3a656134
[ 431.698480] 254c 0a0a350a 31316267 31363663 66303365 69642d66 20797472 32393823 303d720a
[ 431.698503] 256c 66666678 38666666 30303030 61313931 63202c31 303d7874 32343278 0a0a3835
[ 431.698526] 258c 66666f0a 203a545f 63202c30 3a545f63 202c3020 73736170 545f6465 2c30203a
[ 431.698549] 25ac 6c756620 3a545f6c 202c3020 5f676863 5f646e65 30203a54 6572202c 3a746e63
[ 431.698576]
[ 431.698576] X10: 0xffffffc001a32484:
[ 431.698595] 2484 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.698617] 24a4 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.698639] 24c4 00000000 00000000 00000000 00000000 00000000 00000001 00000000 30303020
[ 431.698662] 24e4 362e3133 36363833 20205d32 203a305b 20202020 20202020 656d6420 203a6773
[ 431.698684] 2504 35323535 3532205d 33203430 39362e31 36373538 5b49205d 20203a30 20202020
[ 431.698707] 2524 20202020 73656d64 35203a67 5d353235 30315820 7830203a 66666666 30636666
[ 431.698730] 2544 33613130 34383432 0a0a0a3a 31316267 31363663 66303365 69642d66 20797472
[ 431.698753] 2564 32393823 303d720a 66666678 38666666 30303030 61313931 63202c31 303d7874
[ 431.698777]
[ 431.698777] X11: 0xffffffc081a3246e:
[ 431.698797] 246c f8190fe0 a904d7f4 a905dff6 f90037fe 79400270 35000310 aa0003f4 aa0103f5
[ 431.698822] 248c aa0203f6 aa0303f7 580003be 580003c0 d63f03c0 b9400281 b9411821 aa1503e2
[ 431.698845] 24ac aa1603e3 aa1703e4 aa0003e5 aa0103f4 b9400020 f9407800 f940181e d63f03c0
[ 431.698868] 24cc a944d7f4 a945dff6 f94037fe 9101c3ff d65f03c0 9100f3f0 a93e0600 a93f0e02
[ 431.698892] 24ec f9426a7e d63f03c0 9100f3f0 a97e0600 a97f0e02 17ffffe1 580000bf 74997914
[ 431.698915] 250c 00000000 707d9a28 00000000 00000000 00000000 00094290 00000070 40f00000
[ 431.698938] 252c 00000000 00000098 d1400bf0 b940021f f8190fe0 a904d7f4 a905dff6 f90037fe
[ 431.698962] 254c 79400270 35000290 aa0303f4 aa0203e3 aa0103e2 b9400001 b9411821 aa0203f5
[ 431.698984] 256c aa0303f6 aa0403e5 aa1403e4 aa0103f7 b9400020 f9407800 f940181e d63f03c0
[ 431.699014]
[ 431.699014] X19: 0xffffffc095d8ff80:
[ 431.699033] ff80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699055] ffa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699077] ffc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699100] ffe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699122] 0000 a00c0d00 ffffffc0 b1c0a000 ffffffc0 95d28000 ffffffc0 95d90000 ffffffc0
[ 431.699146] 0020 00000001 006d006d 00000000 00000002 00000000 00000000 000005ea 00000100
[ 431.699168] 0040 00000000 00000000 798b50e8 00007dea 00000000 00000000 00000000 00000000
[ 431.699191] 0060 0001b1ec 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699216]
[ 431.699216] X20: 0xffffffc095d8ff80:
[ 431.699235] ff80 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699257] ffa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699279] ffc0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699300] ffe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699322] 0000 a00c0d00 ffffffc0 b1c0a000 ffffffc0 95d28000 ffffffc0 95d90000 ffffffc0
[ 431.699346] 0020 00000001 006d006d 00000000 00000002 00000000 00000000 000005ea 00000100
[ 431.699368] 0040 00000000 00000000 798b50e8 00007dea 00000000 00000000 00000000 00000000
[ 431.699391] 0060 0001b1ec 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699416]
[ 431.699416] X21: 0xffffffc067aef980:
[ 431.699435] f980 00000000 00000000 00000040 00000000 ffffffff ffffffff 00000000 00000000
[ 431.699458] f9a0 69615cc0 ffffffc0 00000000 00000000 67aef9b0 ffffffc0 67aef9b0 ffffffc0
[ 431.699480] f9c0 67aef9c0 ffffffc0 67aef9c0 ffffffc0 9a80e6b0 ffffffc0 00000000 00000000
[ 431.699503] f9e0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699525] fa00 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699548] fa20 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699570] fa40 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699593] fa60 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 431.699621]
[ 431.699621] X29: 0xffffffc07dfb3990:
[ 431.699640] 3990 95d90000 ffffffc0 67aefa00 ffffffc0 00000001 00000000 00000000 00000000
[ 431.699662] 39b0 00000000 00000000 00000011 00000000 00000000 00000000 7379732f 2f6d6574
[ 431.699684] 39d0 fa49a040 00000000 7dfb3a10 ffffffc0 00833898 ffffffc0 7dfb3a10 ffffffc0
[ 431.699707] 39f0 00833898 ffffffc0 40000045 00000000 01a32522 ffffffc0 665f7872 656d6172
[ 431.699729] 3a10 7dfb3b30 ffffffc0 008a6bf4 ffffffc0 00000011 00000000 67aefa00 ffffffc0
[ 431.699752] 3a30 00000001 00000000 b1c0a000 ffffffc0 01cbb000 ffffffc0 00000000 00000000
[ 431.699775] 3a50 00000040 00000000 00000000 00000000 00001000 00000000 000000c0 00000000
[ 431.699798] 3a70 01a3252c ffffffc0 00000000 00000000 00008888 00000000 95d95000 ffffffc0
[ 431.699820]
[ 431.699835] Process dmesg (pid: 5525, stack limit = 0xffffffc07dfb0058)
[ 431.699852] Stack: (0xffffffc07dfb3a10 to 0xffffffc07dfb4000)
[ 431.699869] 3a00: 7dfb3b30 ffffffc0 008a6bf4 ffffffc0
[ 431.699887] 3a20: 00000011 00000000 67aefa00 ffffffc0 00000001 00000000 b1c0a000 ffffffc0
[ 431.699906] 3a40: 01cbb000 ffffffc0 00000000 00000000 00000040 00000000 00000000 00000000
[ 431.699923] 3a60: 00001000 00000000 000000c0 00000000 01a3252c ffffffc0 00000000 00000000
[ 431.699940] 3a80: 00008888 00000000 95d95000 ffffffc0 00000000 ffffffc0 81a324ee ffffffc0
[ 431.699958] 3aa0: 00000004 00000000 00000000 00000000 00f30338 ffffffc0 95d90088 ffffffc0
[ 431.699976] 3ac0: 98e00000 0000007f 98d57dd4 0000007f 7dfb3b60 ffffffc0 008b3950 ffffffc0
[ 431.699994] 3ae0: 7dfb3b60 ffffffc0 7dfb3b60 ffffffc0 7dfb3b20 ffffffc0 ffffffc8 00000000
[ 431.700013] 3b00: 7dfb3b60 ffffffc0 7dfb3b60 ffffffc0 7dfb3b20 ffffffc0 ffffffc8 00000000
[ 431.700031] 3b20: fa49a040 00000000 00000011 00000000 7dfb3b60 ffffffc0 008b3964 ffffffc0
[ 431.700050] 3b40: 67aefa00 ffffffc0 00000011 00000000 95d90000 ffffffc0 000191a0 ffffff80
[ 431.700068] 3b60: 7dfb3bc0 ffffffc0 008afbd4 ffffffc0 00000010 00000000 00000010 00000000
[ 431.700087] 3b80: 00000010 00000000 000191a0 ffffff80 00000010 00000000 a00c3680 ffffffc0
[ 431.700105] 3ba0: 95d28000 ffffffc0 95d90000 ffffffc0 0153c000 ffffffc0 00000000 00000000
[ 431.700124] 3bc0: 7dfb3c60 ffffffc0 008b5b24 ffffffc0 00000010 00000000 a00c3680 ffffffc0
[ 431.700142] 3be0: 95d90000 ffffffc0 000191a0 ffffff80 95d28000 ffffffc0 b99f4c00 ffffffc0
[ 431.700161] 3c00: 00000400 00000000 00000000 00000000 95d92000 ffffffc0 0000011b 00000000
[ 431.700179] 3c20: 95d92000 ffffffc0 00000010 00000000 0153c960 ffffffc0 008b3530 ffffffc0
[ 431.700198] 3c40: 000191a0 ffffff80 008b5990 00000010 00f34c70 ffffffc0 00f34c58 ffffffc0
[ 431.700217] 3c60: 7dfb3ce0 ffffffc0 008a4100 ffffffc0 b1c0a010 ffffffc0 b1c0a000 ffffffc0
[ 431.700235] 3c80: 01916a10 ffffffc0 95d90000 ffffffc0 b1c0a010 ffffffc0 00000000 00000000
[ 431.700253] 3ca0: 016c20b0 ffffffc0 01a26000 ffffffc0 01c33000 ffffffc0 00000001 00000000
[ 431.700272] 3cc0: b1c0a010 ffffffc0 00f34fa8 ffffffc0 0153c7e8 ffffffc0 00f34fc8 00000040
[ 431.700290] 3ce0: 7dfb3d30 ffffffc0 008a997c ffffffc0 b1c0a000 ffffffc0 00000001 00000000
[ 431.700309] 3d00: 60608f00 ffffffc0 016b4d68 ffffffc0 01a26a40 ffffffc0 016b4d68 ffffffc0
[ 431.700327] 3d20: 01a26a40 ffffffc0 00000000 00000000 7dfb3d60 ffffffc0 00829084 ffffffc0
[ 431.700345] 3d40: 95d90000 ffffffc0 b1c0a000 ffffffc0 00000000 00000000 01a2e758 ffffffc0
[ 431.700362] 3d60: 7dfb3d80 ffffffc0 0024450c ffffffc0 95d95040 ffffffc0 95d95048 ffffffc0
[ 431.700381] 3d80: 7dfb3dc0 ffffffc0 00244d30 ffffffc0 00000006 00000000 00000100 00000000
[ 431.700398] 3da0: 016b4fc8 ffffffc0 00000006 00000000 016c2000 ffffffc0 01a26000 ffffffc0
[ 431.700417] 3dc0: 7dfb3e50 ffffffc0 0024552c ffffffc0 000000c0 00000000 000000ed 00000000
[ 431.700435] 3de0: 00000000 00000000 82d13e44 00000064 40000000 00000000 757706ab 00000055
[ 431.700454] 3e00: 757706ad 00000055 00000000 00000000 cae998a0 0000007f 7dfb0000 ffffffc0
[ 431.700472] 3e20: 7dfb3e30 ffffffc0 016d08f0 ffffffc0 00003370 00000001 00404000 0000000a
[ 431.700491] 3e40: 016b4e10 ffffffc0 000000ed 00000000 7dfb3e70 ffffffc0 0020ada4 ffffffc0
[ 431.700509] 3e60: 016b6000 ffffffc0 0020ad80 ffffffc0 7dfb3ea0 ffffffc0 002063e8 ffffffc0
[ 431.700528] 3e80: 0000200c ffffff80 7dfb3ed0 ffffffc0 01c92c40 ffffffc0 00002010 ffffff80
[ 431.700546] 3ea0: cae997e0 0000007f 0020aa90 ffffffc0 00000000 00000000 0000000f 00000000
[ 431.700565] 3ec0: ffffffff ffffffff 98d56518 0000007f 00000000 00000000 757706ab 00000055
[ 431.700583] 3ee0: 00000002 00000000 cae990c0 0000007f 757706ad 00000055 cae99ab7 0000007f
[ 431.700601] 3f00: 0000005d 00000000 00000020 00000000 ffffffff 00000000 00000002 00000000
[ 431.700619] 3f20: 00000001 00000000 00000010 00000000 0ccccccc 00000000 8000002f 00000000
[ 431.700637] 3f40: 98de4fd8 0000007f 98de4c7c 0000007f 98e00000 0000007f 98d57dd4 0000007f
[ 431.700655] 3f60: ffffffff 00000000 7fffffff 00000000 0000000f 00000000 0000000f 00000000
[ 431.700674] 3f80: cae992a0 0000007f cae998f0 0000007f 757706ab 00000055 757706ad 00000055
[ 431.700692] 3fa0: 00000000 00000000 cae998a0 0000007f 2d10999e f733a14a cae997e0 0000007f
[ 431.700711] 3fc0: 98d9c1a4 0000007f cae98ef0 0000007f 98d56518 0000007f 40000000 00000000
[ 431.700729] 3fe0: 00000003 00000000 ffffffff ffffffff ff000000 ff000000 ff000000 ff000000
[ 431.700741] Call trace:
[ 431.700760] [<ffffffc000833898>] dhd_rx_frame+0x180/0x9f0
[ 431.700782] [<ffffffc0008a6bf0>] dhd_bus_rx_frame+0x38/0x50
[ 431.700805] [<ffffffc0008b3960>] dhd_prot_rxcmplt_process+0x430/0x638
[ 431.700825] [<ffffffc0008afbd0>] dhd_prot_process_msgtype+0x298/0x410
[ 431.700841] [<ffffffc0008b5b20>] dhd_prot_process_msgbuf_txcpl+0x138/0x2b0
[ 431.700859] [<ffffffc0008a40fc>] dhdpcie_bus_process_mailbox_intr+0x1f4/0x360
[ 431.700877] [<ffffffc0008a9978>] dhd_bus_dpc+0x158/0x220
[ 431.700898] [<ffffffc000829080>] dhd_dpc+0x28/0x98
[ 431.700920] [<ffffffc000244508>] tasklet_action+0x90/0x1e0
[ 431.700938] [<ffffffc000244d2c>] __do_softirq+0x144/0x3e0
[ 431.700955] [<ffffffc000245528>] irq_exit+0x108/0x130
[ 431.700975] [<ffffffc00020ada0>] handle_IRQ+0x58/0xc8
[ 431.700991] [<ffffffc0002063e4>] gic_handle_irq+0x3c/0x88
[ 431.701006] Exception stack(0xffffffc07dfb3eb0 to 0xffffffc07dfb3fd0)
[ 431.701022] 3ea0: 00000000 00000000 0000000f 00000000
[ 431.701040] 3ec0: ffffffff ffffffff 98d56518 0000007f 00000000 00000000 757706ab 00000055
[ 431.701058] 3ee0: 00000002 00000000 cae990c0 0000007f 757706ad 00000055 cae99ab7 0000007f
[ 431.701075] 3f00: 0000005d 00000000 00000020 00000000 ffffffff 00000000 00000002 00000000
[ 431.701093] 3f20: 00000001 00000000 00000010 00000000 0ccccccc 00000000 8000002f 00000000
[ 431.701111] 3f40: 98de4fd8 0000007f 98de4c7c 0000007f 98e00000 0000007f 98d57dd4 0000007f
[ 431.701129] 3f60: ffffffff 00000000 7fffffff 00000000 0000000f 00000000 0000000f 00000000
[ 431.701147] 3f80: cae992a0 0000007f cae998f0 0000007f 757706ab 00000055 757706ad 00000055
[ 431.701165] 3fa0: 00000000 00000000 cae998a0 0000007f 2d10999e f733a14a cae997e0 0000007f
[ 431.701180] 3fc0: 98d9c1a4 0000007f cae98ef0 0000007f
[ 431.701198] Code: 91338000 9418cc58 b40041fb 97ea8ac5 (f940077b)
[ 431.701219] ---[ end trace 627c36552ceb8f3a ]---
In-Depth Analysis
Exploiting the out of bound array access into network interface array
We found multiple potential ways to exploit the vulnerability relating to the out of bound access of an array of pointers to network interface data structures. The bcmdhd4358 driver allocates an array of fixed size with DHD_MAX_IFS (=16) interface entries. The out of bound array access occurs at several locations in the function dhd_linux.c:dhd_rx_frame within the bcmdhd4358 driver code where the index into the interface array (called ifidx) is obtained directly from data provided by the WiFi peripheral. The only validation performed on the interface pointer is to check whether it is zero.
void
dhd_rx_frame(dhd_pub_t *dhdp, int ifidx, void *pktbuf, int numpkt, uint8 chan)
{
...
dhd_if_t *ifp;
...
// XXX index interface array with attacker controlled ifidx
ifp = dhd->iflist[ifidx];
// XXX only validataion of interface pointer ifp
if (ifp == NULL) {
DHD_ERROR(("%s: ifp is NULL. drop packet\n",
__FUNCTION__));
PKTCFREE(dhdp->osh, pktbuf, FALSE);
continue;
}
...
// XXX net_device pointer is read from attacker controlled memory
skb->dev = ifp->net;
...
// XXX attacker controlled net_device pointer is passed to eth_type_trans
skb->protocol = eth_type_trans(skb, skb->dev);
if (skb->pkt_type == PACKET_MULTICAST) {
dhd->pub.rx_multicast++;
// XXX byte at attacker controlled address is incremented
ifp->stats.multicast++;
}
...
// XXX ASSERT only prints warning
ASSERT(ifidx < DHD_MAX_IFS && dhd->iflist[ifidx]);
ifp = dhd->iflist[ifidx];
// XXX ifp->net is attacker controlled
if (ifp->net)
ifp->net->last_rx = jiffies;
if (ntoh16(skb->protocol) != ETHER_TYPE_BRCM) {
dhdp->dstats.rx_bytes += skb->len;
dhdp->rx_packets++; /* Local count */
// XXX ifp->stats is attacker controlled
ifp->stats.rx_bytes += skb->len;
ifp->stats.rx_packets++;
}
}
The pointer obtained from the array is then dereferenced to a data structure of type dhd_if_t. The data structure pointer is then used to determine the destination of write operations at various locations within dhd_rx_frame, thereby enabling an attacker to corrupt kernel memory. Further, the dhd_if_t data structure itself holds (among others) pointers to a data structure of type net_device. The pointer to the net_device structure is later passed to the function eth_type_trans which further dereferences fields contained in the net_device struct potentially leading to further dereference of invalid memory.
typedef struct dhd_if {
struct dhd_info *info; /* back pointer to dhd_info */
/* OS/stack specifics */
struct net_device *net;
int idx; /* iface idx in dongle */
uint subunit; /* subunit */
uint8 mac_addr[ETHER_ADDR_LEN]; /* assigned MAC address */
bool set_macaddress;
bool set_multicast;
uint8 bssidx; /* bsscfg index for the interface */
bool attached; /* Delayed attachment when unset */
bool txflowcontrol; /* Per interface flow control indicator */
char name[IFNAMSIZ+1]; /* linux interface name */
struct net_device_stats stats;
#ifdef PCIE_FULL_DONGLE
struct list_head sta_list; /* sll of associated stations */
spinlock_t sta_list_lock; /* lock for manipulating sll */
#endif /* PCIE_FULL_DONGLE */
uint32 ap_isolate; /* ap-isolation settings */
} dhd_if_t;
// XXX dev is attacker controlled
__be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev)
{
struct ethhdr *eth;
skb->dev = dev;
skb_reset_mac_header(skb);
skb_pull_inline(skb, ETH_HLEN);
eth = eth_hdr(skb);
if (unlikely(is_multicast_ether_addr(eth->h_dest))) {
// XXX dev->broadcast dereferences attacker controlled pointer
if (ether_addr_equal_64bits(eth->h_dest, dev->broadcast))
skb->pkt_type = PACKET_BROADCAST;
else
skb->pkt_type = PACKET_MULTICAST;
}
/*
* This ALLMULTI check should be redundant by 1.4
* so don't forget to remove it.
*
* Seems, you forgot to remove it. All silly devices
* seems to set IFF_PROMISC.
*/
else if (1 /*dev->flags&IFF_PROMISC */ ) {
// XXX dev->dev_addr dereferences attacker controlled pointer
if (unlikely(!ether_addr_equal_64bits(eth->h_dest,
dev->dev_addr)))
skb->pkt_type = PACKET_OTHERHOST;
}
...
return htons(ETH_P_802_2);
}
EXPORT_SYMBOL(eth_type_trans);
We will now describe the call chain via which the attacker controlled interface index reaches the function dhd_rx_frame.
The interface index is first obtained from an attacker controlled packet buffer in the function dhd_prot_rxcmplt_process and passed on to the function dhd_bus_rx_frame.
static void BCMFASTPATH
dhd_prot_rxcmplt_process(dhd_pub_t *dhd, void* buf, uint16 msglen)
{
host_rxbuf_cmpl_t *rxcmplt_h;
uint16 data_offset; /* offset at which data starts */
...
/* Actual length of the packet */
PKTSETLEN(dhd->osh, pkt, ltoh16(rxcmplt_h->data_len));
ifidx = rxcmplt_h->cmn_hdr.if_id; // XXX ifidx read here
#if defined(PCIE_D2H_SYNC_BZERO)
memset(buf, 0, msglen);
#endif /* PCIE_D2H_SYNC_BZERO */
#ifdef DHD_RX_CHAINING
/* Chain the packets */
dhd_rxchain_frame(dhd, pkt, ifidx);
#else /* ! DHD_RX_CHAINING */
/* offset from which data starts is populated in rxstatus0 */
dhd_bus_rx_frame(dhd->bus, pkt, ifidx, 1); // XXX ifidx passed on here
#endif /* ! DHD_RX_CHAINING */
DHD_TRACE(("%s: Exit\n", __FUNCTION__));
}
The function dhd_bus_rx_frame then in turn passes the interface index on to the function dhd_rx_frame which contains the vulnerability described above.
/* Process rx frame , Send up the layer to netif */
void BCMFASTPATH
dhd_bus_rx_frame(struct dhd_bus *bus, void* pkt, int ifidx, uint pkt_count)
{
#ifdef DHD_USE_IDLECOUNT
bus->idlecount = 0;
#endif
dhd_rx_frame(bus->dhd, ifidx, pkt, pkt_count, 0); // XXX ifidx passed on again here
}