Updated the XNU code browser to xnu-4903.221.2. https://fergofrog.com/code/cbowser/xnu/ …
Prikaži ovu nit
Makes it very easy to verify @s1guza/@NedWilliamson's points regarding @RazMashat/@userlandkernel's unexploitable bug. From https://fergofrog.com/code/cbowser/xnu/bsd/netinet/mptcp_subr.c.html#mptcp_subflow_add … there are 3 uses. For the simple case, the sa_len is checked at https://fergofrog.com/code/cbowser/xnu/bsd/netinet/mptcp_usrreq.c.html#325 … (mptcp_usr_connectx).
-
-
mptcp_subflow_connected_ev operates on the CONNECTED event, called at https://fergofrog.com/code/cbowser/xnu/bsd/netinet/mptcp_subr.c.html#3219 …. The mpts->mpts_dst, however, only has uses in two other functions mptcp_subflow_add (the function in question) and https://fergofrog.com/code/cbowser/xnu/bsd/netinet/mptcp_subr.c.html#mptcp_subflow_soconnectx … (does check sa_len).
Prikaži ovu nit -
Finally mptcp_check_subflows_and_add, either passes a fixed length dst struct, or one from mpte->mpte_dst, which is set from https://fergofrog.com/code/cbowser/xnu/bsd/netinet/mptcp_usrreq.c.html#353 …, which is our dear friend from before, mptcp_usr_connectx, which checks sa_len.
Prikaži ovu nit -
Unless there's a driver that happily passes sockaddr's from userland into mptcp straight through mptcp_connectx, rather than mptcp_usr_connectx, this is not an exploitable bug. Definitely doesn't require additional checks to be added, or a CVE to be assigned.
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
Tweet je nedostupan.
-
No worries man, it happens all the time. It's just good to make sure you're sure something is exploitable before you announce it. Usually when you think you found a bug you should assume you're wrong and try to prove otherwise. Good luck! :)
Kraj razgovora
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.