Four Remote Packet-of-Death Vulnerabilities In The Linux Kernel

Written by Michael Larabel in Linux Kernel on 13 May 2015 at 04:45 PM EDT. 5 Comments
LINUX KERNEL
Just this morning the major VENOM security vulnerability was made public while a few hours later, a kernel developer has gone public with four "remote packet of death" vulnerabilities affecting a mainline Linux kernel WLAN driver.

Jason Donenfeld has discovered four remote packet-of-death vulnerabilities whereby attackers could send specially crafted packets to a machine using the OZWPAN kernel driver over the network and cause some issues. Donenfeld explained in his public announcement, "The ozwpan driver accepts network packets, parses them, and converts them into various USB functionality. There are numerous security vulnerabilities in the handling of these packets. Two of them result in a memcpy(kernel_buffer, network_packet, -length), one of them is a divide-by-zero, and one of them is a loop that decrements -1 until it's zero."

Jason has published proof-of-concept code for making these packets of death remotely. Besides the four vulnerabilities noted today, he's also mentioned there's other vulnerabilities in this driver that are worth investigating. The patches are now public for addressing the four "PoD" issues but have yet to be mainlined.

Details on these driver vulnerabilities can be found via this kernel mailing list post. OZWPAN is a USB HCD driver that uses WiFi to communicate with wireless peripherals.
This driver is a USB HCD driver that does not have an associated a physical device but instead uses Wi-Fi to communicate with the wireless peripheral. The USB requests are converted into a layer 2 network protocol and transmitted on the network using an ethertype (0x892e) registered to Ozmo Device Inc. This driver is compatible with existing wireless devices that use Ozmo Devices technology.

The devices connect to the host use Wi-Fi Direct so a network card that supports Wi-Fi direct is required. A recent version (0.8.x or later) version of the wpa_supplicant can be used to setup the network interface to create a persistent autonomous group (for older pre-WFD peripherals) or put in a listen state to allow group negotiation to occur for more recent devices that support WFD.

The protocol used over the network does not directly mimic the USB bus transactions as this would be rather busy and inefficient. Instead the chapter 9 requests are converted into a request/response pair of messages.
5 Comments
Related News
Linux 6.10 Scheduler Changes Bring More Refinements
Linux 6.10 Preps For "When Things Go Seriously Wrong" On Bigger Servers
Sysctl Sentinel Bloat Removal Wrapping Up In Linux 6.10
Linus Torvalds On Dogfooding The Linux Kernel
Arm Mali/Immortalis GPU Driver, New AMD Graphics IP & Lunar Lake Display In Linux 6.10
Linus Torvalds Is Doing More ARM64 Linux Testing Now That He Has A More Powerful System
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
NVIDIA's Open GPU Linux Kernel Driver Will Soon Be The Default For Turing & Newer GPUs
Torvalds Voices Thoughts On Linux Mitigating Unexpected Arithmetic Overflows/Underflows
Linus Torvalds Is Doing More ARM64 Linux Testing Now That He Has A More Powerful System
Germany's Sovereign Tech Fund Now Supporting FFmpeg
Linus Torvalds On Dogfooding The Linux Kernel
ReactOS "Open-Source Windows" Making Good Strides On SMP CPU Support
Microsoft Engineer Ports EXT2 File-System Driver To Rust
KDE Making Good Progress On HDR, Better Gamescope Integration