libnl icon indicating copy to clipboard operation
libnl copied to clipboard

Published 20 hours ago verified publisher icon thom311

CVE-2022-20385

Open chengyechun opened this issue 2 years ago • 5 comments

https://security-tracker.debian.org/tracker/CVE-2022-20385

chengyechun avatar Oct 19 '22 07:10 chengyechun

Are there more details?

thom311 avatar Oct 19 '22 07:10 thom311

Are there more details?

a function called 'nla_parse', do not check the len of para, it will check nla_type (which can be controlled by userspace) with 'maxtype' (in this case, it is GSCAN_MAX), then it access polciy array 'policy[type]', which OOB access happens.Product: AndroidVersions: Android SoCAndroid ID: A-238379819

This is the link to the NVD, https://nvd.nist.gov/vuln/detail/CVE-2022-20385

https://ubuntu.com/security/CVE-2022-20385

chengyechun avatar Oct 20 '22 01:10 chengyechun

That explanation is not sufficient (for me). I don't see how that's the case.

The code is here.

In particular, nla_for_each_attr() calls nla_ok(), which checks the length.

Might it be that Android forked nla_parse() and has different code? Or that it doesn't actually use libnl, but a similar code?

thom311 avatar Oct 20 '22 06:10 thom311

@thom311 Also there is a "Note" on https://security-tracker.debian.org/tracker/CVE-2022-20385 which says "NOT-FOR-US: Android".

Not being familiar with Android development I have been trying to track this distinction down. Where, if I can find the actual code that is in question then maybe it can be addressed.

So far this is the only place I can see it being used:

https://android.googlesource.com/platform/external/libnl/

And the diff between the files android/lib/attr.c and libnl/lib/attr.c:

3,9d2
<  * lib/attr.c		Netlink Attributes
<  *
<  *	This library is free software; you can redistribute it and/or
<  *	modify it under the terms of the GNU Lesser General Public
<  *	License as published by the Free Software Foundation version 2.1
<  *	of the License.
<  *
260c253
< 				goto errout;
---
> 				return err;
270c263
< 	if (rem > 0)
---
> 	if (rem > 0) {
272a266
> 	}
274,276c268
< 	err = 0;
< errout:
< 	return err;
---
> 	return 0;
551a544,546
> 	if (nl_addr_get_len(addr) == 0)
> 		return -NLE_INVAL;
>

So with most of their version being versioned as 3.0 the source I cloned from their repository has been patched quite a bit.

@thom311 If I can be of more assistance please let me know. I have been looking over the differences between your library and their fork.

tijko avatar Oct 20 '22 18:10 tijko

I will pay attention to the follow-up of this CVE. I am not involved in the Android community. How to use this interface needs to be further understood. Thank you for your reply.

chengyechun avatar Oct 22 '22 02:10 chengyechun

@chengyechun to be clear the CVE is concerned with a fork of this codebase. The changes were made that differ from what is here.

tijko avatar Nov 15 '22 23:11 tijko

I close this issue, as I think we agree that it does not affect the source in this repository.

If you disagree, please reopen or send a patch. Thank you.

thom311 avatar Aug 03 '23 07:08 thom311