The Linux kernel supports Kernel Address Sanitizer (KASAN), a very powerful compile-time instrumentation method, in v4.0 and later. KASAN instruments every memory allocation, free and read, and write operation with sanity checks. Among other issues, KASAN can uncover most use-after-free, buffer overflow, and buffer overrun errors. The Synopsys Defensics R&D team selected KASAN to run in conjunction with Defensics (Synopsys' fuzz testing solution).
When the Defensics NFS3 Server test suite ran with KASAN enabled in the SUT, a previously passing test case started to fail. KASAN noticed a read of freed memory region with anomalous NFSDv3 WRITE requests. It showed no payload to be written, but was actually writing 1MB of data to the target file.
Further investigation revealed the following about the written data:
- It may contain kernel-space or user-space information.
- It's read from an arbitrary location that may hop around the physical address space.
- It may contain memory malloced by root-owned user-space processes, such as SSHD private keys, cleartext excerpts of the user’s SSH sessions, and more.
When the issue is exploited, however, it does not leave any traces in any logs and the attack could go unnoticed. The malicious activity would look like normal NFS traffic, but it was, in fact, leaking information that should have been kept private.
This discovery reminded us that memory access issues that do not cause immediate crashes and go unnoticed can pose serious security threats to organizations. One example is Heartbleed, a vulnerability that unexpectedly leaks information although systems are working as expected.
Mitre allocated CVE-2017-7895 to the issue that I discovered. The issue seems to have been introduced in kernel v2.6.22—about 10 years ago.