Vulnerability in F2FS File System Leads To Memory Corruption on Android, Linux

August’s Android Security Bulletin includes three file system vulnerabilities (CVE-2017-10663, CVE-2017-10662, and CVE-2017-0750) that were discovered by Trend Micro researchers. These vulnerabilities could cause memory corruption on the affected devices, leading to code execution in the kernel context. This would allow for more data to be accessed and controlled by the malware. A malicious app could be used to trigger this vulnerability, which occurs when a malicious disk using the F2FS (Flash-Friendly File System) is mounted. The disk can either be an actual physical device or a virtual file image.

F2FS is a file system optimized for usage in devices with NAND memory. Any device that can mount an F2FS file system is potentially at risk. On Android devices, the risk is primarily from devices that ship with F2FS support because it’s the default file system used for their data partition. Affected devices include those from Motorola, Huawei, and OnePlus, putting millions of users at risk. In order for this exploit to run, a privileged process with mount permission must be compromised beforehand.

The problem for Linux may even be worse. Linux systems have supported F2FS since version 3.8 of the kernel was released in February 2013. Any Linux device with a kernel newer than this date is potentially at risk. However, not all distributions have enabled F2FS support by default. Systems where USB devices are set up to be automatically mounted upon insertion are most at risk, as this would mean simply inserting a malicious F2FS device would allow the exploit to work.

Technical Details

The vulnerabilities lie in F2FS system structure parsing. On vulnerable systems, mounting a malicious disk or local file image with the losetup command causes memory corruption that can cause code execution in the kernel space. All three vulnerabilities could lead to an out of boundary write, which could eventually be used to execute arbitrary code.

The first vulnerability (CVE-2017-10663) is due to the absence of a buffer boundary check in the appropriate source code:

__set_sit_entry_type(sbi, type, curseg->segno, modified);

The curseg->segno call can be malformed so that it will have a value that triggers an out of boundary write.

The second vulnerability (CVE-2017-10662) is an integer overflow:

sit_i->sentries = vzalloc(MAIN_SEGS(sbi) * sizeof(struct seg_entry));

On a 32-bit system, MAIN_SEGS(sbi) * sizeof(struct seg_entry) may overflow the 32-bit unsigned integer, allocating a buffer size that smaller than needed. A write on the buffer will then trigger an out of boundary write.

The third vulnerability (CVE-2017-0750) is also caused by the absence of a buffer boundary check. The issue was fixed in Linux kernel 4.4.73 by adding a sanity check, as shown below:

/* check log blocks per segment */
if (le32_to_cpu(raw_super->log_blocks_per_seg) != 9) {
f2fs_msg(sb, KERN_INFO,
“Invalid log blocks per segment (%u)\n”,
le32_to_cpu(raw_super->log_blocks_per_seg));
return 1;
}

However, most Android devices are behind this version, and the equivalent code leaves open the possibility of an out of boundary write:

last_offset = sbi->blocks_per_seg;
addr = START_BLOCK(sbi, segno);
sum_entry = &sum->entries[0];
for (i = 0; !err && i < last_offset; i += nrpages, addr += nrpages) {
nrpages = min(last_offset – i, bio_blocks);
/* readahead node pages */
nrpages = ra_sum_pages(sbi, pages, addr, nrpages);

Best Practices

For desktop or server users, upgrading to the latest version of the Linux kernel fixes these vulnerabilities. Administrators can choose to recompile the kernel themselves or wait for the developer of their preferred Linux distribution to release an update. We also urge users to be careful when mounting sources in the F2FS format.

For mobile users, the risk is primarily for users of phones that use F2FS as the default filesystem. Users should be especially careful when downloading mobile apps on these devices, as a virtual disk could be embedded into these apps and serve as an infection vector. Trend Micro Mobile Security (TMMS) also detects any apps encountered using these vulnerabilities.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Vulnerability in F2FS File System Leads To Memory Corruption on Android, Linux