Date: Wed, 14 Aug 2019 01:48:54 +0530 From: Neeraj Pal <neerajpal09@gmail.com> To: Ian Lepore <ian@freebsd.org> Cc: freebsd-arch@freebsd.org, Hans Petter Selasky <hselasky@freebsd.org> Subject: Re: Regarding the bug in FreeBSD kernel driver(s) Message-ID: <CANi4_RWOqC%2B=XMwGaAG77rKJ_O57OVkfPFFBTA42ncRLXDYWHg@mail.gmail.com> In-Reply-To: <cb4108b6e8494259e31d1ab7d5163ae77a2a2116.camel@freebsd.org> References: <CANi4_RUcNt8Z0Gw1DqoOCAYt61kfhv2aoz1v9snrB_Jg38z_zQ@mail.gmail.com> <cb4108b6e8494259e31d1ab7d5163ae77a2a2116.camel@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Ian,
On Wed, Aug 14, 2019 at 1:39 AM Ian Lepore <ian@freebsd.org> wrote:
>
> On Wed, 2019-08-14 at 01:10 +0530, Neeraj Pal wrote:
> > Hi there,
> >
> > After discussing the issue with the security-team, I have posted it
> > publicly.
> >
> > Please find the bug information given below with workaround diff:
> >
> > I have observed the "NULL pointer dereference" bug inside the FreeBSD
> > kernel driver code due to which kernel gets in panic (or DOS) mode
> > and then
> > it has to reboot.
> >
> > Actually, this vulnerability resides in lots of kernel drivers like
> > "uhub0", "ubt0", "umass0", "run0", "uhid0" etc.
> >
> > I have tested and observed the panic for following kernel drivers:
> >
> > - usb,
> > - umass (storage),
> > - ubt(bluetooth),
> > - run0(wifi),
> > - uhid
> >
> > [...]
> >
> > Please confirm and let me know if any other info required.
> >
>
> It appears the problem is limited to usb devices, not all devices in
> the system. It looks like the root of the NULL ivars problem is this
> code from usb_device.c:
>
> if (device_probe_and_attach(iface->subdev) == 0) {
> /*
> * The USB attach arguments are only available during probe
> * and attach !
> */
> uaa->temp_dev = NULL;
> device_set_ivars(iface->subdev, NULL);
> ...
>
> So once a device is attached the first time, its usb ivars are wiped
> out. That code was surely written in a time before the devctl stuff
> was added to allow disabling/enabling a device on the fly. I'm not
> sure whether it will be easy to keep the ivar data around, but if so, I
> think that would be the right fix.
Yeah, as I informed it is only limited to usb devices, especially,
those which are using struct usb_attach_arg with api
device_get_ivar(9).
>
> The NULL pointer checks in the patches will prevent a kernel panic, but
> don't really make devctl enable work properly. Speaking of devctl, you
> don't need a program to test this, you can do it from the command line:
>
> devctl disable uhub2
> devctl enable uhub2
> <panic happens here>
And, yeah it will remove the panic and I verified the devctl after
patching with the code and it seems working fine, like enabling and
disabling.
So, I attached the patch. Please feel free to modify it as per requirements.
Yeah, you are right, but for the sack of PoC, I have modified the same
devctl code to remove the unnecessary devctl commands.
My initial test attempts were from command line only.
--
Thank you!
Sincere regards;
Neeraj Pal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANi4_RWOqC%2B=XMwGaAG77rKJ_O57OVkfPFFBTA42ncRLXDYWHg>