Vulnerability in F2FS File System Leads To Memory Corruption on Android, Linux

Oleh | August 18, 2017

August’s Android Security Bulletin includes three file system vulnerabilities (CVE-2017-10663, CVE-2017-10662, and CVE-2017-0750) that had been found by Trend Micro researchers. These vulnerabilities might set off reminiscence corruption on the affected devices, ensuing in code execution inside the kernel context. This would allow for extra knowledge to be accessed and managed by the malware. A malicious app might very effectively be used to set off this vulnerability, which occurs when a malicious disk using the F2FS (Flash-Friendly File System) is mounted. The disk can both be an exact bodily machine or a digital file image.

F2FS is a file system optimized for utilization in devices with NAND memory. Any machine that will mount an F2FS file system is doubtlessly at risk. On Android devices, the hazard is primarily from devices that ship with F2FS assist as a consequence of it’s the default file system used for his or her knowledge partition. Affected devices embody these from Motorola, Huawei, and OnePlus, placing tens of millions of clients at risk. In order for this exploit to run, a privileged course of with mount permission should be compromised beforehand.

The draw again for Linux might even be worse. Linux packages have supported F2FS since mannequin 3.8 of the kernel was launched in February 2013. Any Linux machine with a kernel newer than this date is doubtlessly at risk. Namun, not all distributions have enabled F2FS assist by default. Systems the place USB devices are set as a lot as be routinely mounted upon insertion are most at risk, as this might imply merely inserting a malicious F2FS machine would allow the exploit to work.

Technical Details

The vulnerabilities lie in F2FS system construction parsing. On weak systems, mounting a malicious disk or native file picture with the losetup command causes reminiscence corruption that will set off code execution inside the kernel space. All three vulnerabilities might finish in an out of boundary write, which might finally be used to execute arbitrary code.

The first vulnerability (CVE-2017-10663) is as a outcomes of the absence of a buffer boundary test in the appropriate supply code:

__set_sit_entry_type(sbi, type, curseg->segno, modified);

The curseg->segno call might be malformed so as that it is going to have a worth that triggers an out of boundary write.

The second vulnerability (CVE-2017-10662) is an integer overflow:

sit_i->sentries = vzalloc(MAIN_SEGS(sbi) * sizeof(struct seg_entry));

On a 32-bit system, MAIN_SEGS(sbi) * sizeof(struct seg_entry) may overflow the 32-bit unsigned integer, allocating a buffer measurement that smaller than needed. A write on the buffer will then set off an out of boundary write.

The third vulnerability (CVE-2017-0750) may even be attributable to the absence of a buffer boundary check. The challenge was fixed in Linux kernel 4.4.73 by including a sanity check, as proven below:

/* test log blocks per part */
jika (le32_to_cpu(raw_super->log_blocks_per_seg) != 9) {
f2fs_msg(sb, KERN_INFO,
Invalid log blocks per part (%u)\n”,
le32_to_cpu(raw_super->log_blocks_per_seg));
return 1;
}

Namun, most Android devices are behind this version, and the equal code leaves open the potential of an out of boundary write:

last_offset = sbi->blocks_per_seg;
addr = START_BLOCK(sbi, segno);
sum_entry = &sum->entries[0];
for (i = 0; !err && i < last_offset; i += nrpages, addr += nrpages) {
nrpages = min(last_offseti, bio_blocks);
/* readahead node pages */
nrpages = ra_sum_pages(sbi, pages, addr, nrpages);

Best Practices

For desktop or server users, upgrading to the newest mannequin of the Linux kernel fixes these vulnerabilities. Administrators can decide to recompile the kernel themselves or look forward to the developer of their most trendy Linux distribution to launch an update. We additionally urge clients to watch out when mounting sources inside the F2FS format.

For mobile users, the hazard is primarily for clients of telephones that use F2FS as a consequence of the default filesystem. Users should be particularly cautious when downloading mobile apps on these devices, as a digital disk might very effectively be embedded into these apps and efficiency an an infection vector. Trend Micro Mobile Security (TMMS) additionally detects any apps encountered using these vulnerabilities.

Vulnerability in F2FS File System Leads To Memory Corruption on Android, Linux




Silahkan periksa ini pelayanan yang baik di: http://www.test-net.org/services/port-check/ atau mengunjungi BEBAS PERKHIDMATAN menu

[Total: 0    Rata-rata: 0/5]

Tinggalkan Balas

Alamat email anda tidak akan diterbitkan. Bidang-bidang yang perlu ditanda *