1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
Path: news.gmane.org!not-for-mail
From: Mathias Krause <minipli@googlemail.com>
Newsgroups: gmane.linux.network
Subject: [PATCH 1/2] sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
Date: Sat, 23 Feb 2013 12:13:47 +0100
Lines: 28
Approved: news@gmane.org
Message-ID: <1361618028-9024-2-git-send-email-minipli@googlemail.com>
References: <1361618028-9024-1-git-send-email-minipli@googlemail.com>
NNTP-Posting-Host: plane.gmane.org
X-Trace: ger.gmane.org 1361618069 2156 80.91.229.3 (23 Feb 2013 11:14:29 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sat, 23 Feb 2013 11:14:29 +0000 (UTC)
Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>
To: "David S. Miller" <davem@davemloft.net>
Original-X-From: netdev-owner@vger.kernel.org Sat Feb 23 12:14:49 2013
Return-path: <netdev-owner@vger.kernel.org>
Envelope-to: linux-netdev-2@plane.gmane.org
Original-Received: from vger.kernel.org ([209.132.180.67])
by plane.gmane.org with esmtp (Exim 4.69)
(envelope-from <netdev-owner@vger.kernel.org>)
id 1U9D3z-0003H8-6Z
for linux-netdev-2@plane.gmane.org; Sat, 23 Feb 2013 12:14:43 +0100
Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S1757811Ab3BWLOQ (ORCPT <rfc822;linux-netdev-2@m.gmane.org>);
Sat, 23 Feb 2013 06:14:16 -0500
Original-Received: from mail-bk0-f53.google.com ([209.85.214.53]:46309 "EHLO
mail-bk0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1757044Ab3BWLOM (ORCPT
<rfc822;netdev@vger.kernel.org>); Sat, 23 Feb 2013 06:14:12 -0500
Original-Received: by mail-bk0-f53.google.com with SMTP id j10so635828bkw.40
for <netdev@vger.kernel.org>; Sat, 23 Feb 2013 03:14:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlemail.com; s=20120113;
h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to
:references;
bh=NM4oEi0qkLdUhxSK1IKpg60DjwOeNtHa0EKsIVngex0=;
b=xdMKHhwMk8BGqDXVGVKf/KcWjSwJajtfpzPDCVugS7vLJh2HtrJnhKiBOUta3XNtTK
ibjB4FQuAenC9ZjXfuEPdo4ct1CIQC2xN2sW/VmeqhYip/xDJ/csVRnX/BxNYWDTFkHo
Uva0peiyrsvR1W0oTeqNLQ1fYIm4f1UwYHzhouschB9mlYHfrCDQFuI7TDfOTUNN1lmY
D5T4vV1aWKsxHx1OYFSRS3aUo3l0Tyzx0zeSPJH+aL3mrhoBDc84RtjsmRafY7RiEXi8
ropiUO1Q9ATcLZd1/2+L/ausYzkP7NiU16SdbkQWuZkP1J8nBK7n5pahlYnDcktklyGM
od5Q==
X-Received: by 10.204.149.196 with SMTP id u4mr2435753bkv.23.1361618051168;
Sat, 23 Feb 2013 03:14:11 -0800 (PST)
Original-Received: from jig.fritz.box (pD9EB2658.dip.t-dialin.net. [217.235.38.88])
by mx.google.com with ESMTPS id gy3sm1474145bkc.16.2013.02.23.03.14.09
(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sat, 23 Feb 2013 03:14:10 -0800 (PST)
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1361618028-9024-1-git-send-email-minipli@googlemail.com>
Original-Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org
Xref: news.gmane.org gmane.linux.network:260061
Archived-At: <http://permalink.gmane.org/gmane.linux.network/260061>
Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
with a family greater or equal then AF_MAX -- the array size of
sock_diag_handlers[]. The current code does not test for this
condition therefore is vulnerable to an out-of-bound access opening
doors for a privilege escalation.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
net/core/sock_diag.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 602cd63..750f44f 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (nlmsg_len(nlh) < sizeof(*req))
return -EINVAL;
+ if (req->sdiag_family >= AF_MAX)
+ return -EINVAL;
+
hndl = sock_diag_lock_handler(req->sdiag_family);
if (hndl == NULL)
err = -ENOENT;
--
1.7.10.4
|
