korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-12 05:48:39 +08:00
Code Issues Packages Projects Releases Wiki Activity
30f78d8ebf
linux/net/core
History
Mathias Krause 05ab8f2647 filter: prevent nla extensions to peek beyond the end of the message 
The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
for a minimal message length before testing the supplied offset to be
within the bounds of the message. This allows the subtraction of the nla
header to underflow and therefore -- as the data type is unsigned --
allowing far to big offset and length values for the search of the
netlink attribute.

The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
also wrong. It has the minuend and subtrahend mixed up, therefore
calculates a huge length value, allowing to overrun the end of the
message while looking for the netlink attribute.

The following three BPF snippets will trigger the bugs when attached to
a UNIX datagram socket and parsing a message with length 1, 2 or 3.

 ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
 | ld	#0x87654321
 | ldx	#42
 | ld	#nla
 | ret	a
 `---

 ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
 | ld	#0x87654321
 | ldx	#42
 | ld	#nlan
 | ret	a
 `---

 ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
 | ; (needs a fake netlink header at offset 0)
 | ld	#0
 | ldx	#42
 | ld	#nlan
 | ret	a
 `---

Fix the first issue by ensuring the message length fulfills the minimal
size constrains of a nla header. Fix the second bug by getting the math
for the remainder calculation right.

Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
Cc: Patrick McHardy <kaber@trash.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-04-13 23:31:55 -04:00
..
datagram.c net, datagram: fix the incorrect comment in zerocopy_sg_from_iovec() 2013-10-29 00:19:04 -04:00
dev_addr_lists.c net: Correctly sync addresses from multiple sources to single device 2014-01-23 13:06:34 -08:00
dev_ioctl.c net_tstamp: Add SIOCGHWTSTAMP ioctl to match SIOCSHWTSTAMP 2013-11-19 19:07:21 +00:00
dev.c netdev: remove potentially harmful checks 2014-04-07 15:52:07 -04:00
drop_monitor.c net: drop_monitor: fix the value of maxattr 2013-12-09 21:10:38 -05:00
dst.c net: pass info struct via netdevice notifier 2013-05-28 13:11:01 -07:00
ethtool.c net: add busy_poll device feature 2014-04-03 14:31:34 -04:00
fib_rules.c net: fix 'ip rule' iif/oif device rename 2014-02-09 19:02:52 -08:00
filter.c filter: prevent nla extensions to peek beyond the end of the message 2014-04-13 23:31:55 -04:00
flow_dissector.c net: Rename skb->rxhash to skb->hash 2014-03-26 15:58:20 -04:00
flow.c CPU hotplug notifiers registration fixes for 3.15-rc1 2014-04-07 14:55:46 -07:00
gen_estimator.c net_sched: add 64bit rate estimators 2013-06-11 02:51:03 -07:00
gen_stats.c net_sched: add 64bit rate estimators 2013-06-11 02:51:03 -07:00
iovec.c net: rework recvmsg handler msg_name and msg_namelen logic 2013-11-20 21:52:30 -05:00
link_watch.c net: make all team port device link events urgent 2013-06-13 02:31:41 -07:00
Makefile net: ptp: move PTP classifier in its own file 2014-04-01 16:43:18 -04:00
neighbour.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-03-05 20:32:02 -05:00
net_namespace.c userns: Kill nsown_capable it makes the wrong thing easy 2013-08-30 23:44:11 -07:00
net-procfs.c rps: selective flow shedding during softnet overflow 2013-05-20 13:48:04 -07:00
net-sysfs.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-04-02 20:53:45 -07:00
net-sysfs.h net: netdev_kobject_init: annotate with __init 2014-01-05 20:27:54 -05:00
net-traces.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
netclassid_cgroup.c cgroup: drop @skip_css from cgroup_taskset_for_each() 2014-02-13 06:58:41 -05:00
netevent.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
netpoll.c netpoll: Use skb_irq_freeable to make zap_completion_queue safe. 2014-04-01 17:53:36 -04:00
netprio_cgroup.c cgroup: drop const from @buffer of cftype->write_string() 2014-03-19 10:23:54 -04:00
pktgen.c pktgen: be friendly to LLTX devices 2014-04-12 01:59:38 -04:00
ptp_classifier.c net: ptp: move PTP classifier in its own file 2014-04-01 16:43:18 -04:00
request_sock.c net: remove unnecessary return's 2014-02-13 18:33:38 -05:00
rtnetlink.c net-sysfs: expose number of carrier on/off changes 2014-03-31 16:24:52 -04:00
scm.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2013-09-07 14:35:32 -07:00
secure_seq.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-10-23 16:49:34 -04:00
skbuff.c net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
sock_diag.c net: filter: keep original BPF program around 2014-03-31 00:45:09 -04:00
sock.c net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
stream.c net: replace macros net_random and net_srandom with direct calls to prandom 2014-01-14 15:15:25 -08:00
sysctl_net_core.c rps: NUMA flow limit allocations 2013-12-19 19:00:07 -05:00
timestamping.c net: ptp: move PTP classifier in its own file 2014-04-01 16:43:18 -04:00
user_dma.c net: Add export.h for EXPORT_SYMBOL/THIS_MODULE to non-modules 2011-10-31 19:30:30 -04:00
utils.c net: make net_get_random_once irq safe 2013-10-25 19:03:39 -04:00