Four Remote Packet-of-Death Vulnerabilities In The Linux Kernel
Written by Michael Larabel in Linux Kernel on 13 May 2015 at 04:45 PM EDT. 5 Comments
LINUX KERNEL --
Just this morning the major VENOM security vulnerability was made public while a few hours later, a kernel developer has gone public with four "remote packet of death" vulnerabilities affecting a mainline Linux kernel WLAN driver.

Jason Donenfeld has discovered four remote packet-of-death vulnerabilities whereby attackers could send specially crafted packets to a machine using the OZWPAN kernel driver over the network and cause some issues. Donenfeld explained in his public announcement, "The ozwpan driver accepts network packets, parses them, and converts them into various USB functionality. There are numerous security vulnerabilities in the handling of these packets. Two of them result in a memcpy(kernel_buffer, network_packet, -length), one of them is a divide-by-zero, and one of them is a loop that decrements -1 until it's zero."

Jason has published proof-of-concept code for making these packets of death remotely. Besides the four vulnerabilities noted today, he's also mentioned there's other vulnerabilities in this driver that are worth investigating. The patches are now public for addressing the four "PoD" issues but have yet to be mainlined.

Details on these driver vulnerabilities can be found via this kernel mailing list post. OZWPAN is a USB HCD driver that uses WiFi to communicate with wireless peripherals.
This driver is a USB HCD driver that does not have an associated a physical device but instead uses Wi-Fi to communicate with the wireless peripheral. The USB requests are converted into a layer 2 network protocol and transmitted on the network using an ethertype (0x892e) registered to Ozmo Device Inc. This driver is compatible with existing wireless devices that use Ozmo Devices technology.

The devices connect to the host use Wi-Fi Direct so a network card that supports Wi-Fi direct is required. A recent version (0.8.x or later) version of the wpa_supplicant can be used to setup the network interface to create a persistent autonomous group (for older pre-WFD peripherals) or put in a listen state to allow group negotiation to occur for more recent devices that support WFD.

The protocol used over the network does not directly mimic the USB bus transactions as this would be rather busy and inefficient. Instead the chapter 9 requests are converted into a request/response pair of messages.
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Linux Kernel News
Popular News This Week