diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2014-05-12 08:44:41 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2014-05-12 08:44:41 -0400 |
commit | 8eb39ff3b7acccb96e6548b03dda3b7dbe898cac (patch) | |
tree | 44300c6a183e93da321cca05c1192c4f7f5e9d03 | |
parent | c43ef0a65c57fce9540ce4fe46e966811c077469 (diff) | |
download | kernel-8eb39ff3b7acccb96e6548b03dda3b7dbe898cac.tar.gz kernel-8eb39ff3b7acccb96e6548b03dda3b7dbe898cac.tar.xz kernel-8eb39ff3b7acccb96e6548b03dda3b7dbe898cac.zip |
CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784)
-rw-r--r-- | filter-prevent-nla-extensions-to-peek-beyond-the-end.patch | 98 | ||||
-rw-r--r-- | kernel.spec | 9 |
2 files changed, 107 insertions, 0 deletions
diff --git a/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch b/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch new file mode 100644 index 00000000..1aec648f --- /dev/null +++ b/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch @@ -0,0 +1,98 @@ +Bugzilla: 1096784 +Upstream-status: 3.15 + +From 0e1e9b265ec6c9b69ba5443e0d11aaa9a92ded53 Mon Sep 17 00:00:00 2001 +From: Mathias Krause <minipli@googlemail.com> +Date: Sun, 13 Apr 2014 18:23:33 +0200 +Subject: [PATCH] filter: prevent nla extensions to peek beyond the end of the + message + +Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3 + +The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check +for a minimal message length before testing the supplied offset to be +within the bounds of the message. This allows the subtraction of the nla +header to underflow and therefore -- as the data type is unsigned -- +allowing far to big offset and length values for the search of the +netlink attribute. + +The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is +also wrong. It has the minuend and subtrahend mixed up, therefore +calculates a huge length value, allowing to overrun the end of the +message while looking for the netlink attribute. + +The following three BPF snippets will trigger the bugs when attached to +a UNIX datagram socket and parsing a message with length 1, 2 or 3. + + ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- + | ld #0x87654321 + | ldx #42 + | ld #nla + | ret a + `--- + + ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- + | ld #0x87654321 + | ldx #42 + | ld #nlan + | ret a + `--- + + ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- + | ; (needs a fake netlink header at offset 0) + | ld #0 + | ldx #42 + | ld #nlan + | ret a + `--- + +Fix the first issue by ensuring the message length fulfills the minimal +size constrains of a nla header. Fix the second bug by getting the math +for the remainder calculation right. + +Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") +Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..") +Cc: Patrick McHardy <kaber@trash.net> +Cc: Pablo Neira Ayuso <pablo@netfilter.org> +Signed-off-by: Mathias Krause <minipli@googlemail.com> +Acked-by: Daniel Borkmann <dborkman@redhat.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/core/filter.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index ad30d626a5bd..7be35b5fc22f 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -355,6 +355,10 @@ load_b: + + if (skb_is_nonlinear(skb)) + return 0; ++ ++ if (skb->len < sizeof(struct nlattr)) ++ return 0; ++ + if (A > skb->len - sizeof(struct nlattr)) + return 0; + +@@ -371,11 +375,15 @@ load_b: + + if (skb_is_nonlinear(skb)) + return 0; ++ ++ if (skb->len < sizeof(struct nlattr)) ++ return 0; ++ + if (A > skb->len - sizeof(struct nlattr)) + return 0; + + nla = (struct nlattr *)&skb->data[A]; +- if (nla->nla_len > A - skb->len) ++ if (nla->nla_len > skb->len - A) + return 0; + + nla = nla_find_nested(nla, X); +-- +1.9.0 + diff --git a/kernel.spec b/kernel.spec index 355659cd..bc76043a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -794,6 +794,9 @@ Patch25087: jme-fix-dma-unmap-error.patch Patch25088: floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch Patch25089: floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch +# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784 +Patch25090: filter-prevent-nla-extensions-to-peek-beyond-the-end.patch + # END OF PATCH DEFINITIONS %endif @@ -1541,6 +1544,9 @@ ApplyPatch jme-fix-dma-unmap-error.patch ApplyPatch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch ApplyPatch floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch +# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784 +ApplyPatch filter-prevent-nla-extensions-to-peek-beyond-the-end.patch + # END OF PATCH APPLICATIONS %endif @@ -2352,6 +2358,9 @@ fi # ||----w | # || || %changelog +* Mon May 12 2014 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784) + * Fri May 09 2014 Josh Boyer <jwboyer@fedoraproject.org> - CVE-2014-1738 CVE-2014-1737 floppy: priv esclation (rhbz 1094299 1096195) |