[stable] Patch "bridge: netfilter: fix information leak" has been added to the 2.6.38-stable tree

Mon, 11 Apr 2011 14:48:09 -0700 

This is a note to let you know that I've just added the patch titled

    bridge: netfilter: fix information leak

to the 2.6.38-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bridge-netfilter-fix-information-leak.patch
and it can be found in the queue-2.6.38 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From d846f71195d57b0bbb143382647c2c6638b04c5a Mon Sep 17 00:00:00 2001
From: Vasiliy Kulikov <[email protected]>
Date: Mon, 14 Feb 2011 16:49:23 +0100
Subject: bridge: netfilter: fix information leak

From: Vasiliy Kulikov <[email protected]>

commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream.

Struct tmp is copied from userspace.  It is not checked whether the "name"
field is NULL terminated.  This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline.  It would be seen by all userspace
processes.

Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 net/bridge/netfilter/ebtables.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, c
        if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
                return -ENOMEM;
 
+       tmp.name[sizeof(tmp.name) - 1] = 0;
+
        countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
        newinfo = vmalloc(sizeof(*newinfo) + countersize);
        if (!newinfo)


Patches currently in stable-queue which might be from [email protected] are

queue-2.6.38/bluetooth-bnep-fix-buffer-overflow.patch
queue-2.6.38/bridge-netfilter-fix-information-leak.patch
queue-2.6.38/bluetooth-sco-fix-information-leak-to-userspace.patch

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to