MOKB-29-11-2006

Bug details
Title: Linux 2.6.7-18.3 get_fdb_entries() integer overflow
Description: Linux 2.6.7-18.3 get_fdb_entries() function is vulnerable to an integer overflow condition. This could be abused to force memory allocation of an attacker controlled size. Successful exploitation could allow arbitrary code execution.
Author/Contributor: Eugene Teo <eugeneteo [at] eugeneteo.net> - Discovery, debugging.
a1rsupp1y - Further research.
NA<NA[at] info-pull.com> - MoKB release.
References:
Proof of concept or exploit: Not available right now.
Debugging information:

This issue has been fixed already (29 Nov 2006), check the link in References.

The vulnerable code resides in net/bridge/br_ioctl.c:

 56 static _nt get_fdb_entries(struct net_bridge *br, void __user *userbuf, 
 57                            unsigned long maxnum, unsigned long offset)
 58 {
 59         int num;
 60         void *buf;
 61         size_t size = maxnum * sizeof(struct __fdb_entry);
 62 
 63         if (size > PAGE_SIZE) {
 64                 size = PAGE_SIZE;
 65                 maxnum = PAGE_SIZE/sizeof(struct __fdb_entry);
 66         }
 67 
 68         buf = kmalloc(size, GFP_USER);
 69         if (!buf)
 70                 return -ENOMEM;
 71 
 72         num = br_fdb_fillbuf(br, buf, maxnum, offset);

By supplying a sufficiently large value to maxnum, we can control the amount
of memory to allocate to buf (i.e. 32 bytes).

net/bridge/br_fdb.c:

219 int br_fdb_fillbuf(struct net_bridge *br, void *buf,
220                    unsigned long maxnum, unsigned long skip)
221 {
222         struct __fdb_entry *fe = buf;
/* ... */
227         memset(buf, 0, maxnum*sizeof(struct __fdb_entry));
228 
229         rcu_read_lock();
230         for (i = 0; i < BR_HASH_SIZE; i++) {
231                 hlist_for_each_entry_rcu(f, h, &br->hash[i], hlist) {
232                         if (num >= maxnum)
233                                 goto out;
234 
235                         if (has_expired(br, f))
236                                 continue;
237 
238                         if (skip) {
239                                 --skip;
240                                 continue;
241                         }
242 
243                         /* convert from internal format to API */
244                         memcpy(fe->mac_addr, f->addr.addr, ETH_ALEN);
245                         fe->port_no = f->dst->port_no;
246                         fe->is_local = f->is_local;
247                         if (!f->is_static)
248                                 fe->ageing_timer_value = jiffies_to_clock_t(jiffies - f->ageing_timer);
249                         ++fe;
250                         ++num;
251                 }
252         }

because fe = buf, and buf can be allocated with only 32 bytes, if one bridge has
more than two interfaces added, memcpy will be able to overwrite other slab
objects, which can be exploited to execute arbitrary code.