CVE-2019-8912

Jordan Morales
Jordan Morales

In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 17eb09d222ff..ec78a04eb136 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -122,8 +122,10 @@ static void alg_do_release(const struct af_alg_type *type, void *private)

int af_alg_release(struct socket *sock)
{
- if (sock->sk)
+ if (sock->sk) {
sock_put(sock->sk);
+ sock->sk = NULL;
+ }
return 0;
}
EXPORT_SYMBOL_GPL(af_alg_release);

git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9060cb719e61b685ec0102574e10337fa5f445ea
nvd.nist.gov/vuln/detail/CVE-2019-8912
OH NoNOnoNONo.... OHOHH NOOOONOONONO.... BAHAHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHAHAAHA

Attached: 7a4b230d24ae4092d9e74d3b909fa20a6220a705437018869a9bdd047e7f3aee.jpg (17.05 KB, 248x189)

Other urls found in this thread:

securityfocus.com/bid/107063
elixir.bootlin.com/linux/v4.20.11/source/net/socket.c#L513
elixir.bootlin.com/linux/v4.20.11/source/crypto/af_alg.c#L123
elixir.bootlin.com/linux/v4.20.11/ident/sock_put
youtube.com/watch?v=FY9SbqTO5GQ
elixir.bootlin.com/linux/v4.20.11/source/crypto/af_alg.c#L131
cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.12
git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.20.y&id=cc5cb5c0d03d9a990dd6d40dce5a5cf96de8e81e
git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/?h=linux-4.20.y

Christopher Myers
Christopher Myers

securityfocus.com/bid/107063
LOOOOOOOOOOOOOOOOOOOOOL

Attached: Screenshot-2019-02-21-Linux-Kernel-'crypto-af-alg-c'-Use-After-Free-Arbitrary-Code-Execution-Vulnerability.png (98.89 KB, 421x9558)

Dominic Butler
Dominic Butler

so is this some bad remote exploit that can be used easily or just another shitpost

Matthew Cruz
Matthew Cruz

It's a use after free vuln
<wat dat?
Use-After-Free vulnerabilities are a type of memory corruption flaw that can be leveraged by hackers to execute arbitrary code.
Use After Free specifically refers to the attempt to access memory after it has been freed, which can cause a program to crash or, in the case of a Use-After-Free flaw, can potentially result in the execution of arbitrary code or even enable full remote code execution capabilities.

Easton Roberts
Easton Roberts

Already patched in git, just wait for long term to update and everything will be fine again.

Adrian Hall
Adrian Hall

wait for long term to update
if you're on long term you shouldn't be vulnerable anyway. CentOS isn't outside of kernel-alt.
The "every prior kernel unto 0.0 is vulnerable" listing is just someone not bothering to see when the use-after-free was introduced.

Sebastian Collins
Sebastian Collins

ah, so it's fucking nothing.

Joseph Thompson
Joseph Thompson

yes but its not very useful if you need a user account on the machine to exploit it. if you can do it without any kind of authentication then its really bad.

Matthew Martin
Matthew Martin

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
OH NoNOnoNONo.... OHOHH NOOOONOONONO.... BAHAHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHAHAAHA

Jack Butler
Jack Butler

m8, every Linux version 2.8 through 4.20 is vulnerable.

Elijah Reed
Elijah Reed

but i dont want to reboot my servers yet

Attached: ree.png (98.21 KB, 828x828)

Tyler Russell
Tyler Russell

the vuln's through sockfs_setattr. that was added in 4.10 and wasn't backported.

Carson Wright
Carson Wright

But remember guys, open source automatically means safer because total randoms are surely going to do a decent audit of your spaghetti out of good will.

Dylan Cooper
Dylan Cooper

nice. i use 4.9 on the things that i dont want to reboot

Daniel Foster
Daniel Foster

discovered 3 days ago
still not fixed
I wonder how much (((they))) paid...

Adrian Fisher
Adrian Fisher

implying there aren't worse vulns in windows that only the cia knows about.
can potentially
Reminder that no one has found an actual exploit yet, for now it's just a benign use-after-free.

Hudson Carter
Hudson Carter

You literally have the diff of the fix in the OP, wtf?

Cooper Brooks
Cooper Brooks

fix is available
true. Although I wonder if it shouldn't be made to sock_put instead.
problem is actually fixed
it hasn't hit linux git repos yet.

Thomas Carter
Thomas Carter

why would MITRE say Attack Complexity: Low
without at least a good idea of a POC exploit?

Nicholas Morgan
Nicholas Morgan

The fix is in the git repo but there are no releases with this fix.

there isn't a POC yet so that means everything is fine
spotted the cniles

Benjamin Hill
Benjamin Hill

Where is it actually used after being freed?
This is not an inherrent problem in C, but it is a problem in programming etiquette.
The programmer should've either named the function `sock_put_free` or changed the declaration to require a double pointer parameter to a struct socket.

James Sanchez
James Sanchez

it's used after free in several places. there's a write after free in sockfs_setattr. It's a real short function, just look at it: elixir.bootlin.com/linux/v4.20.11/source/net/socket.c#L513
the contract is "if sock->sk is not NULL , then it's good to use", and that contract is broken in elixir.bootlin.com/linux/v4.20.11/source/crypto/af_alg.c#L123

Jason Richardson
Jason Richardson

also
not a problem
... given sufficient expertise and discipline
in Rust the required amount of expertise and discipline is "don't use unsafe {}", because the borrow checker doesn't allow this problem at all.
C sets a high bar before the problem is "not a problem"; most other languages have the bar quite a bit lower. Problems can be problems even if the required expertise and discipline isn't actually superhuman.

Colton Miller
Colton Miller

SCORE ANOTHER POINT FOR C

Jayden Myers
Jayden Myers

This is not an inherrent problem in C
This is not an inherrent problem in C
This is not an inherrent problem in C
This is not an inherrent problem in C
This is not an inherrent problem in C
This is not an inherrent problem in C
LOOOOOOOOOOOOOL

Nathaniel Bailey
Nathaniel Bailey

open up /usr/src/linux
add a single line to crypto/af_alg.c (see diff in op)
fixed gg ez

Attached: image-(59).jpg (77.67 KB, 832x689)

Sebastian Foster
Sebastian Foster

What about all the other vulnerabilities though? In which files are those?

Camden Rogers
Camden Rogers

the only reason rust doesn't have these types of vulnerabilities is because nobody uses it and nobody cares to check anything that does because it's all irrelevant.

it's the same reason there's so few virus's on OSX and linux, not because there can't be, but because it's irrelevant to target.

Angel Davis
Angel Davis

other languages are just as unsafe
nice damage control

Jack Wright
Jack Wright

#!/usr/bin/env stap
%{
#include <linux/net/sock.h>
%}
function null_it (sock) %{
struct socket *sock;
sock = (struct socket *) STAP_ARG_sock;
sock->sk = NULL;
%}
probe kernel.function("af_alg_release").return {
null_it($sock);
}
... something like that.

Jaxon Turner
Jaxon Turner

I know what you mean, but Linux is too complicated anyway. A single human being just can't understand it all. Terry was right when he said that a great programmer deletes code, instead of adding more. (I can't remember the exact quote)

Use Ada. if it's good enough for US army and Boeing, then it should be good enough for you. I used to think that Ada was a niggerlicious language, but I researched it a bit, and it really seems like a good and beautiful (and white) language. Its only problem is that it's a bit verbose, perhaps. But it doesn't really matter to me that much tbh.

fixed gg ez
It's still not an excuse for this embarrassing bug.

Attached: ichigohina1.jpg (218.11 KB, 655x922)

Tyler Lee
Tyler Lee

ctl+f "sock_put"
nothing found
Where is `sock_put` defined? How is someone supposed to read that name and think that it would free the pointer in the parameter?

I admit that it is something an experienced programmer will notice quicker than a novice, but that doesn't eliminate the need for novices to learn these practices as fundamental.
Either by naming convention or by function design, it is courtesy that if others will contribute to some software that it should be intuitive and not require hours of reversing before work can be attempted.

Where in your butt does it hurt?

Use Ada. if it's good enough for US army and Boeing, then it should be good enough for you. I used to think that Ada was a niggerlicious language, but I researched it a bit, and it really seems like a good and beautiful (and white) language. Its only problem is that it's a bit verbose, perhaps. But it doesn't really matter to me that much tbh.
Hello, fellow (((white))) programmer. I see you post anime also.

Connor Bell
Connor Bell

elixir.bootlin.com/linux/v4.20.11/ident/sock_put

Easton Reed
Easton Reed

damage control is required to defend against an irrelevant meme language.
javascript is objectively more secure than rust

Lincoln Powell
Lincoln Powell


/* Ungrab socket and destroy it, if it was the last reference. */
static inline void sock_put(struct sock *sk)
{
if (refcount_dec_and_test(&sk->sk_refcnt))
sk_free(sk);
}

Yeah, that definitely should take a pointer to a pointer and assign NULL when necessary.

Christian Edwards
Christian Edwards

thread about c
ada shill shows up

more damage control
pathetic

Owen Garcia
Owen Garcia

Attached: basedandredpilled.webm (6.07 MB, 1280x720)

Hunter Moore
Hunter Moore

treating a girl like a trap just because her breasts aren't DD
degenerate.
thread about a class of flaw in a C program
less-buggy languages are discussed
this is bad

Asher Morales
Asher Morales

lol you have obvious braindamage

Jackson Cook
Jackson Cook

ada shill shows up
What the fuck did you just fucking say about me, you little bitch? I'll have you know I graduated top of my class in the Navy Seals, and I've been involved in numerous secret raids on Al-Quaeda, and I have over 300 confirmed kills. I am trained in guerrilla warfare and I'm the top sniper in the entire US armed forces. You are nothing to me but just another target. I will wipe you the fuck out with precision the likes of which has never been seen before on this Earth, mark my fucking words. You think you can get away with saying that shit to me over the Internet? Think again, fucker. As we speak I am contacting my secret network of spies across the USA and your IP is being traced right now so you better prepare for the storm, maggot. The storm that wipes out the pathetic little thing you call your life. You're fucking dead, kid. I can be anywhere, anytime, and I can kill you in over 700 ways, and that's just with my bare hands. Not only am I extensively trained in unarmed combat, but I have access to the entire arsenal of the United States Marine Corps and I will use it to its full extent to wipe your miserable ass off the face of the continent, you little shit. If only you could have known what unholy retribution your little "clever" comment was about to bring down upon you, maybe you would have held your fucking tongue. But you couldn't, you didn't, and now you're paying the price, you goddamn idiot. I will shit fury all over you and you will drown in it. You're fucking dead, kiddo.

Brayden Green
Brayden Green

yikes

Luke Brown
Luke Brown

post popular software written entirely in rust

Julian Peterson
Julian Peterson

relevant: youtube.com/watch?v=FY9SbqTO5GQ

Oliver Bailey
Oliver Bailey

I would literally email my bank account login info + my SSN to russian botnet masters before I willingly used a program written in rust

Sebastian Butler
Sebastian Butler

be sjw
blame your responsibilities on others
be dev
blame your bad code on the software

it's good enough for US army and Boeing
And french space rockets

Jackson Lopez
Jackson Lopez

Wow. This guy really shows how much a clusterfuck free software is when you don't have any kind of official standards and practices for contributing.

Luke Cooper
Luke Cooper

woah, if only they had rules against virtual *hugs* none of this would have happened

Henry Ward
Henry Ward

I am not talking about some queer CoC(k). I am talking about Standards and Practices. Do you know what those are?

Isaiah Evans
Isaiah Evans

Well it was an easy patch, really annoying because nothing uses the crypto api really. I wonder how hard it is to exploit with kaslr and gcc stack protectors.

Gavin Fisher
Gavin Fisher

Dude, the patch is broken itself. `sock_put` is supposed to check if the socket should be NULL or not. `sock_put` needs patched to actually make the socket NULL when it is necessary, and everything that calls it needs to be patched so assigning the socket to NULL outside of the function unnecessary and incorrect.

Luis Hernandez
Luis Hernandez

brb deleting /crypto
But seriously, are you telling me linus has it wrong? can you show me where the real fix work is happening?

Eli Turner
Eli Turner

good and beautiful (and white) language
Well you're not wrong, but it was designed by a French Jew. So it's a (((white))) language.

Brandon Diaz
Brandon Diaz

Read the function.
The comment clearly states that `sock_put` checks if the socket should be destroyed, which means that there could be some occurence where the socket doesn't need to be destroyed. By assigning the socket reference to NULL outside the function, the check is useless and ignored essentially.
I don't know who wrote the patch, but in my opinion, it is wrong.

Jordan Robinson
Jordan Robinson

be in medieval hacker's guilde
everyone uses bent hammers
one day a journeyman shows off his invention: non-bent hammer
he's able to build better stuff, with fewer personal injuries!
the whole guild comes together
the whole guild beats him black and blue, and makes him apologize to his bent hammer
the medieval hackers guilde does not blame its tools for self-injury!

Brandon Robinson
Brandon Robinson

damn, that's true. The patch should reimplement sock_puts, and only set its arg NULL when that check succeeds.
There might be some other guarantee of the check always succeeding, that led the patch submitter to not bother, but probably he just didn't think it through.

Adam Parker
Adam Parker

The “Benny Hill” chase music played in my head while I scrolled through your list user.

Evan Rivera
Evan Rivera

muh rust
Protip: I didn't mention Rust. Stop building a strawman and admit that you are LARPers

Jack Brooks
Jack Brooks

did you tell that to them?

Jordan Robinson
Jordan Robinson

Anti-Rustfag OP can you please be more original?
inb4 thread derail as expected and t. Rustfag because I don't care about that programming language.

Evan Jenkins
Evan Jenkins

Anti-Rustfag OP
I (the OP) am the Rustfag. Gotcha, cniles! I will never stop haunting this board.

Hudson King
Hudson King

forgot my image how embarrassing

Attached: steve-klabnik-p.jpg (19.64 KB, 294x294)

Jayden Gomez
Jayden Gomez

US army
Remember the low IQ soldiers? It's like you're one of them.

Tyler Sanders
Tyler Sanders

Are you also the OP of ?

Logan Nguyen
Logan Nguyen

Nah. I made this one as a response though.

Cameron King
Cameron King

the reference counting is for multiple users of the socket. sock_put doesn't free until there are now users. regardless, the caller is no longer a user, so the patch is right: it should unconditionally set that field to NULL.

Asher Johnson
Asher Johnson

someone makes a thread about Rust vulnerabilities
Rustniggers are so butthurt they copy OP's image and use his post as a template whenever a C program has a vulnerability
spend most of the thread shilling Rust yet the moment someone mentions Ada they dogpile him
Why are Rustfags so fucking salty?

Attached: 33f4a6104e9795d1f30da2d954eebb02ad3b2bcf.gif (569.16 KB, 827x926)

Tyler Wilson
Tyler Wilson

one post mentions Rust positively
8 shit on it
Yes. Clearly there is some serious Rust shilling going on here.
Go and check yourself into a retirement home, cnile.

Jack Turner
Jack Turner

anyone who doesn't like Rust is a C programmer
The absolute state of Rustfags. This is like systemd shills strawmanning everyone else as SysV init fanboys.

Blake Barnes
Blake Barnes

That doesn't matter.
If the socket pointer is supposed to be NULL at a certain condition, and if that condition is tested in a separate function, then that separate function should assign NULL to that pointer, not externally after the call.
That's my point.

Oliver Young
Oliver Young

it matters to whether the patch is defective or not--if it doesn't introduce new problems, like sock->sk improperly getting set to NULL
The patch is not defective.
Would it be better to change sock_put ? I think so, yeah. Even if this means that many uses of sock_put will have an unnecessary assignment, in most those cases (sock_put(blah); /* blah isn't used before going out of scope */) it should be compiled away as dead code.

Wyatt Gray
Wyatt Gray

ex. elixir.bootlin.com/linux/v4.20.11/source/crypto/af_alg.c#L131
setting sk to NULL at the end of this function is totally pointless. It's not actually 'dead code' technically.

Evan Walker
Evan Walker

anyone who doesn't like C is a Rust programmer
The absolute state of cniles. This is like systemd shills strawmanning everyone else as SysV init fanboys.

Hunter Martinez
Hunter Martinez

What performance gain do you lose from a literal xor call? Sure you might have to copy the address into a register, but I highly doubt it's going to add 1 ms of latency for the function to NULL the pointer when the condition is met.

Jaxon Gray
Jaxon Gray

if I switch Rustfag for my super special forced meme this insult will have exactly the same effect
I can't believe you actually thought this.

Attached: 369758cce0779931f247ed0497e5ff299554162a2e0ed9a4f8bce8c5b992fd78.gif (1.53 MB, 300x316)

Jacob Roberts
Jacob Roberts

*shrug*
I am inclined to treat unnecessary writes as having weight independent of their instruction count.

Nolan Nguyen
Nolan Nguyen

But the write only occurs when the condition is met: refcount == 0.
Sure there are instances where the socket pointer is no longer used after it is freed, but that is not always, apparently so is the case in OP.
Why not take the performance hit and make contributions easier for everyone instead of forcing them to reverse a bunch of code they are new to?

Dylan Ramirez
Dylan Ramirez

no, the write needs to happen on every call to sock_put, because every caller of sock_put no longer has need of the pointer.

Grayson Stewart
Grayson Stewart

implyin you aren't a SysVinit fanboy

Brayden Hill
Brayden Hill

Then why the conditional in `sock_put` itself?
What we know `sock_put` does every call is that it will call a function to decrement refcount and check its value. It will then use the return of this function to determine whether to release the socket or not. We know that it does this every call.
Now, at this point, if the function returns anything but 0, the socket will be released.
What if that function doesn't return 0 however? How does assigning NULL for the pointer to the socket in that situation differ from normal, expected operation?

Michael Fisher
Michael Fisher

Hurr just like, write good code lmao

Attached: peni.webm (2.45 MB, 640x360)

Oliver Torres
Oliver Torres

Valid statement. Everyone should get good.

Chase Parker
Chase Parker

If people working on the Linux kernel can't write reasonably safe C you sure as hell can't.
I want every single LARPer on this board to show me the C they write so I can tell them why they can't code for shit and need to shut up.

Attached: smurfs.png (203.17 KB, 640x599)

Lincoln Cooper
Lincoln Cooper

You're making a ton of assumptions here.
Besides, it is reasonably safe.

Leo Ortiz
Leo Ortiz

It's reasonably safe like playing guitar with a sword is reasonably safe.

Landon Morales
Landon Morales

Then you don't know what reasonable means.

Eli Williams
Eli Williams

No, you're just really fucking stupid.

Joseph Hughes
Joseph Hughes

Good argument.

Brayden Reyes
Brayden Reyes

This is a really fucking stupid analogy because even if writing C was somehow close to playing the guitar with a sword, the results would be so awesome you'd look like a massive faggot for yelling "JUST USE YOUR HANDS IDIOT" on the rare occasion he actually cuts a string.

Attached: cf6bfa1d08f79fcb39bed4d70c156aa0808f5de99668cc6b6adb1049ede6d82b.png (1010.92 KB, 1003x764)

Cooper Garcia
Cooper Garcia

[metal intensifies]

Anthony Adams
Anthony Adams

Attached: nulang-programmer.png (53.17 KB, 1040x768)

Easton Nguyen
Easton Nguyen

No you'd look like a massive faggot when you regularly slice yourself and keep insisting you're fine.

Brayden White
Brayden White

cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.12

Luke Barnes
Luke Barnes

but it was designed by a French Jew
That's a bit misleading. Ada was designed by a team, and the french jew was part of that group.

implying US army wouldn't care about safety and high availability/fault tolerance
However, the main reason why I mentioned US army was to prove that Ada isn't simply another meme language that nobody uses. Ada is backed by large entities and it's being actively developed (and the way it's being developed is actually sane! And the standards are available for free), so Ada is future-proofed and useful language.

the only init systems in the existence are SysV and SystemD

Ryan Young
Ryan Young

shilling Ada in a C thread

Anthony Anderson
Anthony Anderson

if you're using C, you should use Ada instead, so it makes sense :^)

Xavier Smith
Xavier Smith

git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.20.y&id=cc5cb5c0d03d9a990dd6d40dce5a5cf96de8e81e
the accepted patch is just the NULL assignment after sock_put().
git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/log/?h=linux-4.20.y

Owen Peterson
Owen Peterson

holy keks loonix is finished!!

Jose Davis
Jose Davis

YEAR OF THE LINUX DESKTOP

Attached: 5282f421fbc233ac75bb5181cc78b6014fef1f89ecf7ea54e0d74fa698c7237d.gif (2.77 MB, 512x512)