Synopsys finds 3 Linux kernel vulnerabilities

At Synopsys, our R&D teams routinely organize internal hackathons to verify the Synopsys Software Integrity Portfolio’s performance in real-world environments. During one hackathon, focused on open source software, Tuomas Haanpää, from the Synopsys Defensics (fuzz testing) R&D group, ran our NFSv3 test suite against the Linux kernel and found several interesting errors.

Initial analysis found that anomalized NFSv3 READDIR/READDIRPLUS requests produced an error, and further repeated requests eventually froze the system under test (SUT). The high-level root cause for this issue is a typical case that’s often seen in larger systems: A front-end subsystem—in this case SunRPC—makes several assumptions about the back-end subsystem’s—in this case NFSDv3’s—behavior. However, these assumptions aren’t properly validated by either one, so when unexpected inputs in the NFS payload breaks those assumptions, the NULL pointer dereference leads to a failure. For a successful denial-of-service (DoS) attack, the intruder requires read-only access to a NFS mount.

Mitre has allocated CVE-2017-7645 for this remote DoS vulnerability. Our research indicates that, at the very least, every kernel since v2.6.32 is vulnerable without the patch.

Fuzzing with sanitizers

An extended study of the root cause and reproduction efforts of CVE-2017-7645 revealed the potential for more issues lurking in the NFSDv3 implementation. Portions of the Linux kernel code base are quite old and have numerous pointer arithmetics and assumptions built in, indicating that we needed to proceed by fuzzing with sanitizers. The need to fuzz with sanitizers couldn’t be truer for complex systems because bugs can always be found even after conducting rigorous code reviews and using static analysis tools.

Kernel Address Sanitizer (KASAN)

The Linux kernel supports Kernel Address Sanitizer (KASAN), a very powerful compile-time instrumentation method, in v4.0 and later. KASAN instruments every memory allocation, free and read, and write operation with sanity checks. Among other issues, KASAN can uncover most use-after-free, buffer overflow, and buffer overrun errors. The Synopsys Defensics R&D team selected KASAN to run in conjunction with Defensics (Synopsys' fuzz testing solution).

When the Defensics NFS3 Server test suite ran with KASAN enabled in the SUT, a previously passing test case started to fail. KASAN noticed a read of freed memory region with anomalous NFSDv3 WRITE requests. It showed no payload to be written, but was actually writing 1MB of data to the target file.

Further investigation revealed the following about the written data:

• It may contain kernel-space or user-space information.
• It's read from an arbitrary location that may hop around the physical address space.
• It may contain memory malloced by root-owned user-space processes, such as SSHD private keys, cleartext excerpts of the user’s SSH sessions, and more.

When the issue is exploited, however, it does not leave any traces in any logs and the attack could go unnoticed. The malicious activity would look like normal NFS traffic, but it was, in fact, leaking information that should have been kept private.

This discovery reminded us that memory access issues that do not cause immediate crashes and go unnoticed can pose serious security threats to organizations. One example is Heartbleed, a vulnerability that unexpectedly leaks information although systems are working as expected.

Mitre allocated CVE-2017-7895 to the issue that I discovered. The issue seems to have been introduced in kernel v2.6.22—about 10 years ago.

Even well-structured, well-designed, and well-reviewed codebases may have issues

The NFSDv4 implementation in Linux was developed much later than the NFSDv3 implementation. Although the NFSDv4 subsystem was designed with a better structure for input validation and error checking, Jani Tuovila from the Synopsys Defensics R&D team decided to verify with the Defensics NFSv4 Server test suite.

After performing the test, a failure was found. A remote DoS was caused when the SUT was handling an invalid error in the LAYOUTGET command, and it was later revealed that the remote DoS is even more severe if the source address is spoofable. The maliciously crafted request triggers an out-of-bounds read and pointer dereference. Because the vulnerability is in the error handling of the path, no actual access rights are required. The only requirement is that the spoofable source address be within an allowed IP range for NFS access.

Mitre allocated CVE-2017-8797 for this issue. At least every kernel since v4.4.0 is vulnerable.

A proper and coordinated disclosure

Tuomas Haanpää, Jani Tuovila, and I, from the Synopsys Defensics R&D team, weren't the only members involved in the Linux kernel NFS fuzzing project. Matti Kamunen and Marko Laakso also reached out to the Linux Foundation to ensure a safe, secure, and coordinated disclosure. A special thank you to Linux NFS maintainer J. Bruce Fields, who helped patch the discovered issues.

If you are concerned that you may be affected by these vulnerabilities, visit CVE-2017-7645, CVE-2017-7895, and CVE-2017-8797 for further details and patches.

Summing it up

To prevent severe issues such as Linux kernel vulnerabilities from going unnoticed, use state-of-the-art fuzzing solutions combined with in-depth instrumentation.