diff options
author | Kyle McMartin <kyle@mcmartin.ca> | 2010-11-23 11:17:52 -0500 |
---|---|---|
committer | Kyle McMartin <kyle@mcmartin.ca> | 2010-11-23 11:17:52 -0500 |
commit | 5b55060789f8bf05abf0e76d528058aceddd7e8e (patch) | |
tree | 22021046ef919020931e8b48f503ce5c5d39ee8d | |
parent | 4249c07209b3560be4acfee9daa7856da8d575a1 (diff) | |
download | dom0-kernel-5b55060789f8bf05abf0e76d528058aceddd7e8e.tar.gz dom0-kernel-5b55060789f8bf05abf0e76d528058aceddd7e8e.tar.xz dom0-kernel-5b55060789f8bf05abf0e76d528058aceddd7e8e.zip |
fix logic error in INET_DIAG bytecode auditing (CVE-2010-3880)
-rw-r--r-- | inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch | 105 | ||||
-rw-r--r-- | kernel.spec | 6 |
2 files changed, 111 insertions, 0 deletions
diff --git a/inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch b/inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch new file mode 100644 index 0000000..3a2703c --- /dev/null +++ b/inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch @@ -0,0 +1,105 @@ +From 9c6594941166d85bbf7f3bb4a79d01cb3d572eac Mon Sep 17 00:00:00 2001 +From: Nelson Elhage <nelhage@ksplice.com> +Date: Wed, 3 Nov 2010 16:35:41 +0000 +Subject: inet_diag: Make sure we actually run the same bytecode we audited. + +We were using nlmsg_find_attr() to look up the bytecode by attribute when +auditing, but then just using the first attribute when actually running +bytecode. So, if we received a message with two attribute elements, where only +the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different +bytecode strings. + +Fix this by consistently using nlmsg_find_attr everywhere. + +Signed-off-by: Nelson Elhage <nelhage@ksplice.com> +Signed-off-by: Thomas Graf <tgraf@infradead.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv4/inet_diag.c | 27 ++++++++++++++++----------- + 1 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c +index a706a47..6fe360f 100644 +--- a/net/ipv4/inet_diag.c ++++ b/net/ipv4/inet_diag.c +@@ -489,9 +489,11 @@ static int inet_csk_diag_dump(struct sock *sk, + { + struct inet_diag_req *r = NLMSG_DATA(cb->nlh); + +- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) { ++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) { + struct inet_diag_entry entry; +- struct rtattr *bc = (struct rtattr *)(r + 1); ++ const struct nlattr *bc = nlmsg_find_attr(cb->nlh, ++ sizeof(*r), ++ INET_DIAG_REQ_BYTECODE); + struct inet_sock *inet = inet_sk(sk); + + entry.family = sk->sk_family; +@@ -511,7 +513,7 @@ static int inet_csk_diag_dump(struct sock *sk, + entry.dport = ntohs(inet->dport); + entry.userlocks = sk->sk_userlocks; + +- if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry)) ++ if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry)) + return 0; + } + +@@ -526,9 +528,11 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw, + { + struct inet_diag_req *r = NLMSG_DATA(cb->nlh); + +- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) { ++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) { + struct inet_diag_entry entry; +- struct rtattr *bc = (struct rtattr *)(r + 1); ++ const struct nlattr *bc = nlmsg_find_attr(cb->nlh, ++ sizeof(*r), ++ INET_DIAG_REQ_BYTECODE); + + entry.family = tw->tw_family; + #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE) +@@ -547,7 +551,7 @@ static int inet_twsk_diag_dump(struct inet_timewait_sock *tw, + entry.dport = ntohs(tw->tw_dport); + entry.userlocks = 0; + +- if (!inet_diag_bc_run(RTA_DATA(bc), RTA_PAYLOAD(bc), &entry)) ++ if (!inet_diag_bc_run(nla_data(bc), nla_len(bc), &entry)) + return 0; + } + +@@ -617,7 +621,7 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk, + struct inet_diag_req *r = NLMSG_DATA(cb->nlh); + struct inet_connection_sock *icsk = inet_csk(sk); + struct listen_sock *lopt; +- struct rtattr *bc = NULL; ++ const struct nlattr *bc = NULL; + struct inet_sock *inet = inet_sk(sk); + int j, s_j; + int reqnum, s_reqnum; +@@ -637,8 +641,9 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk, + if (!lopt || !lopt->qlen) + goto out; + +- if (cb->nlh->nlmsg_len > 4 + NLMSG_SPACE(sizeof(*r))) { +- bc = (struct rtattr *)(r + 1); ++ if (nlmsg_attrlen(cb->nlh, sizeof(*r))) { ++ bc = nlmsg_find_attr(cb->nlh, sizeof(*r), ++ INET_DIAG_REQ_BYTECODE); + entry.sport = inet->num; + entry.userlocks = sk->sk_userlocks; + } +@@ -671,8 +676,8 @@ static int inet_diag_dump_reqs(struct sk_buff *skb, struct sock *sk, + &ireq->rmt_addr; + entry.dport = ntohs(ireq->rmt_port); + +- if (!inet_diag_bc_run(RTA_DATA(bc), +- RTA_PAYLOAD(bc), &entry)) ++ if (!inet_diag_bc_run(nla_data(bc), ++ nla_len(bc), &entry)) + continue; + } + +-- +1.7.3.2 + diff --git a/kernel.spec b/kernel.spec index 3913f37..5ee7c55 100644 --- a/kernel.spec +++ b/kernel.spec @@ -838,6 +838,8 @@ Patch14226: add-support-for-ricoh-e822-sdhci.patch Patch14300: ipc-zero-struct-memory-for-compat-fns.patch Patch14301: ipc-shm-fix-information-leak-to-user.patch +Patch14302: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch + # ============================================================================== %endif @@ -1546,6 +1548,9 @@ ApplyPatch ipc-zero-struct-memory-for-compat-fns.patch # rhbz#648656 (CVE-2010-4072) ApplyPatch ipc-shm-fix-information-leak-to-user.patch +# rhbz#651264 (CVE-2010-3880) +ApplyPatch inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch + # END OF PATCH APPLICATIONS ==================================================== %endif @@ -2201,6 +2206,7 @@ fi * Tue Nov 23 2010 Kyle McMartin <kyle@redhat.com> - zero struct memory in ipc compat (CVE-2010-4073) (#648658) - zero struct memory in ipc shm (CVE-2010-4072) (#648656) +- fix logic error in INET_DIAG bytecode auditing (CVE-2010-3880) (#651264) * Mon Nov 22 2010 Kyle McMartin <kyle@redhat.com> 2.6.32.26-174 - Linux 2.6.32.26 |