CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784)

2 files changed, 107 insertions, 0 deletions

diff --git a/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch b/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
new file mode 100644
index 00000000..1aec648f
--- /dev/null
+++ b/filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
@@ -0,0 +1,98 @@
+Bugzilla: 1096784
+Upstream-status: 3.15
+
+From 0e1e9b265ec6c9b69ba5443e0d11aaa9a92ded53 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sun, 13 Apr 2014 18:23:33 +0200
+Subject: [PATCH] filter: prevent nla extensions to peek beyond the end of the
+ message
+
+Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3
+
+The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
+for a minimal message length before testing the supplied offset to be
+within the bounds of the message. This allows the subtraction of the nla
+header to underflow and therefore -- as the data type is unsigned --
+allowing far to big offset and length values for the search of the
+netlink attribute.
+
+The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
+also wrong. It has the minuend and subtrahend mixed up, therefore
+calculates a huge length value, allowing to overrun the end of the
+message while looking for the netlink attribute.
+
+The following three BPF snippets will trigger the bugs when attached to
+a UNIX datagram socket and parsing a message with length 1, 2 or 3.
+
+ ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
+ | ld	#0x87654321
+ | ldx	#42
+ | ld	#nla
+ | ret	a
+ `---
+
+ ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
+ | ld	#0x87654321
+ | ldx	#42
+ | ld	#nlan
+ | ret	a
+ `---
+
+ ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
+ | ; (needs a fake netlink header at offset 0)
+ | ld	#0
+ | ldx	#42
+ | ld	#nlan
+ | ret	a
+ `---
+
+Fix the first issue by ensuring the message length fulfills the minimal
+size constrains of a nla header. Fix the second bug by getting the math
+for the remainder calculation right.
+
+Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
+Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
+Cc: Patrick McHardy <kaber@trash.net>
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Acked-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/core/filter.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index ad30d626a5bd..7be35b5fc22f 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -355,6 +355,10 @@ load_b:
+ 
+ 			if (skb_is_nonlinear(skb))
+ 				return 0;
++			
++			if (skb->len < sizeof(struct nlattr))
++				return 0;
++
+ 			if (A > skb->len - sizeof(struct nlattr))
+ 				return 0;
+ 
+@@ -371,11 +375,15 @@ load_b:
+ 
+ 			if (skb_is_nonlinear(skb))
+ 				return 0;
++
++			if (skb->len < sizeof(struct nlattr))
++				return 0;
++
+ 			if (A > skb->len - sizeof(struct nlattr))
+ 				return 0;
+ 
+ 			nla = (struct nlattr *)&skb->data[A];
+-			if (nla->nla_len > A - skb->len)
++			if (nla->nla_len > skb->len - A)
+ 				return 0;
+ 
+ 			nla = nla_find_nested(nla, X);
+-- 
+1.9.0
+
diff --git a/kernel.spec b/kernel.spec
index 355659cd..bc76043a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -794,6 +794,9 @@ Patch25087: jme-fix-dma-unmap-error.patch
 Patch25088: floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
 Patch25089: floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
 
+# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
+Patch25090: filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1541,6 +1544,9 @@ ApplyPatch jme-fix-dma-unmap-error.patch
 ApplyPatch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
 ApplyPatch floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
 
+# CVE-2014-3144 CVE-2014-3145 rhbz 1096775, 1096784
+ApplyPatch filter-prevent-nla-extensions-to-peek-beyond-the-end.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2352,6 +2358,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Mon May 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-3144/CVE-2014-3145 filter: prevent nla from peeking beyond eom (rhbz 1096775, 1096784)
+
 * Fri May 09 2014 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2014-1738 CVE-2014-1737 floppy: priv esclation (rhbz 1094299 1096195)