Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2019-14196: nfs: fix unbounded memcpy with a failed length check …
…at nfs_lookup_reply This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply. Signed-off-by: Cheng Liu <liucheng32@huawei.com> Reported-by: Fermín Serna <fermin@semmle.com> Acked-by: Joe Hershberger <joe.hershberger@ni.com>
- Loading branch information
5d14ee4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
The following fix (lines 576-577) is an ineffective mitigation for the CVE-2019-14196:
The result of the following expression is always 24,
((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt)
. Then we can modify the code as follows for demonstration purposes (some comments in line).Assuming an attacker has bypassed the current sanity check, his negative number will land as the third argument of the function
memcpy
(line 578). It will be cast to an unsigned int leading to a buffer overflow if the data copied is more than the size of the destination bufferfilefh
. The destination buffer filefh is a global one and can hold up to 64 bytes.The proper fix for this vulnerability is to declare
filefh3_length
as an unsigned int and not as an int so that it cannot represent negative numbers.Xeno Kovah (@XenoKovah) found this bypass and is presented as a case study in the course "Vulnerabilities 1001 - OST2". After dynamically verifying the bypass, I am merely reporting the discovery (tested with some dirty code that I hope would never see the sun's light).
5d14ee4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CVE-2022-30767 is associated with this incorrect fix for CVE-2019-14196.